The risk analysis process usually generates a document known as a risk matrix. This document shows the elements identified, the way they are related and the calculations performed. This risk analysis is essential to achieve correct risk management. Risk management refers to the management of the organization's resources.

There are different types of risks such as residual risk and total risk as well as risk treatment, risk evaluation and risk management among others. The formula to determine the total risk is:.

From this formula we will determine its treatment and after applying the controls we will be able to obtain the residual risk.

As described in BS ISO/IEC 27001:2005, risk assessment includes the following activities and actions:.

• - Identification of assets.

• - Identification of legal and business requirements that are relevant to the identification of assets.

• - Valuation of the identified assets, taking into account the legal and business requirements identified above, and the impact of a loss of confidentiality, integrity and availability.

• - Identification of important threats and vulnerabilities for the identified assets.

• - Evaluation of the risk, threats and vulnerabilities to occur.

• - Risk calculation.

• - Risk evaluation against a pre-established risk scale.

After carrying out the analysis we must determine the actions to take regarding the residual risks that were identified. The actions can be:

• - Control risk.- Strengthen existing controls and/or add new controls.

• - Eliminate the risk. - Eliminate the related asset and thereby eliminate the risk.

• - Sharing the risk.- Through contractual agreements, part of the risk is transferred to a third party.

• - Accept the risk. - It is determined that the level of exposure is adequate and therefore it is accepted.

Don't forget that in companies security begins from within. Training staff, creating standards-based norms, analyzing gaps and blind spots in logical security and information systems security.

It is essential to continuously create conflict scenarios with the participation of the company's management together with a security auditor; from these scenarios, measures can be achieved to avoid security events.

• - Asset. It is an object or resource of value used in a company or organization.

• - Threat. It is an event that can cause a security incident in a company or organization, resulting in potential loss or damage to its assets.

• - Vulnerability. It is a weakness that can be exploited with the materialization of one or more threats to an asset.

• - Risk. It is an incident or situation that occurs in a specific place in a specific time interval, with negative or positive consequences that can affect the fulfillment of objectives.

• - Analysis. Examine or decompose a whole, detailing each of the elements that make it up in order to determine the relationship between its principles and elements.

• - Control. It is a prevention and correction security mechanism used to reduce vulnerabilities.

This risk management process is a continuous process since it is necessary to periodically evaluate whether the risks found and whether they have an impact, a calculation must be made at the different stages of the risk. The mechanism that is reversed in the greatest number of organizations today is in the day-to-day effort. That is why carrying out project risk analysis refers to the project and the future impact on the organization's risk structure.

AA.

There are several tools on the market that can help you when evaluating risks, mainly in the risk assessment process. Once this process is completed, all the information collected must be documented for subsequent analysis. The tool that we must select must contain at least one data collection module, data analysis module, and another reporting module.

The importance of a good analysis and a good presentation of the analyzed data will lead us to an effective interpretation of the current risk situation and therefore, the selection of the controls that we must implement will be the most accurate in the selection process, saving costs in products and operating costs in addition to saving time.

• Minimum requirements for management, implementation and control of risks related to computer technology and information systems.

• Specifies the necessary requirements to establish, implement, maintain and improve an Information Security Management System (ISMS).

• This Standard provides guidelines for Information Security Risk Management in an Organization.

However, this Standard does not provide any specific methodology for information security risk analysis and management.

• International standard that serves as a reference for banking regulators, in order to establish the necessary capital requirements, to ensure the protection of entities against financial and operational risks.

• Promoted by the North American government in response to the mega corporate frauds promoted by Enron, Tyco International, WorldCom and Peregrine Systems. It is a set of measures aimed at ensuring the effectiveness of internal controls over financial reporting.

• Promoted by the main payment card brands, this standard seeks to guarantee the security of payment card holder data in its processing, storage and transmission.

Contenido

• - ITIL: Information Technology Infraestructure Library “proporciona un planteamiento sistemático para la provisión de servicios de TI con calidad”. (Jan van Bon, 2008).

• - COBIT 5: Significa (Objetivos de control para la información y tecnologías relacionadas) es una metodología publicada en 1996 por el Instituto de Control de TI y la ISACA (Asociación de Auditoría y Control de Sistemas de Información).

• - ISO 31000: Esta normativa establece principio y guías para diseñar, implementar mantener la gestión de los riesgos en forma sistemática y de transparencia de toda forma de riesgo, por ejemplo: financiera, operativa, de mercadeo, de imagen, y de seguridad de información.

• - Citicus One: software comercial de Citicus, implementa el método FIRM del Foro de Seguridad de la Información;.

• - CRAMM: “CCTA Risk Assessment and Management Methodology” fue originalmente desarrollado para uso del gobierno de UK pero ahora es propiedad de Siemens;.

• - ISO TR 13335: fue el precursor de la ISO/IEC 27005;.

• - MAGERIT “Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información” está disponible en castellano, inglés e italiano.[1]​.

• - CORAS: Consultative Objetive Risk Analysis System.

• - OCTAVE: “Operationally Critical Threat, Asset, and Vulnerability Evaluation” Metodología de Análisis y Gestión de Riesgos desarrollada por el CERT;.

• - NIST SP 800-39 “Gestión de Riesgos de los Sistemas de Información, una perspectiva organizacional”;.

• - NIST SP 800-30: Guía de Gestión de Riesgos de los Sistemas de Tecnología de la Información, es gratuito;.

• - Mehari: Método de Gestión y Análisis de Riesgos desarrollado por CLUSIF (Club de la Sécurité de l'Information Français);.

• - AS/NZS: Norma de Gestión de Riesgos publicada conjuntamente por Australia y Nueva Zelanda y ampliamente utilizada en todo el mundo.

Methodology information

CORAS.

Project developed since 2001 by Sintef, a Norwegian research group, whose objective is to provide a framework aimed at systems in which security is critical.[2]​.

It is a method for analyzing security risks, it structures the analysis of threats and risks using a specialized language, offering detailed guidelines on how to use this language to capture and model relevant information at each stage of the process.[2]​.

CORAS provides a tool designed to support documentation, maintenance and reporting of results in a consistent manner. This methodology provides detailed advice regarding which models should be built and how they should be expressed, as well as helping to reduce risks and measures to avoid them.[2]​.

Advantages of CORAS[3]​.

• - Follows a structured and defined process to ensure consistency in analyses; In addition, it uses tools for risk study.

• - It has a graphic editing tool for the design and creation of models. It has a language based on UML.

• - Use diagrams to represent risks.

• - Provides a report indicating the vulnerabilities found in the evaluation process.

Disadvantages of CORAS[3]​.

• - For large systems, there will be a considerable effort due to the amount of data.

• - Does not measure the degree of security.

• - Does not consider processes and dependencies in risk management.

• - Does not optimize the costs of information technologies.

• - Does not have a contingency plan.

Resources available on the different methodologies

• - In the English edition, while the first Book (Method) has evolved to version 3, the second and third books are downloaded in version 2 (download version).

• - In the Italian edition, we only have book I (Method), yes, in the latest version (Magerit v3).

• - GxSGSI: Risk Analysis and Management Tool based on Magerit and approved by the European Information Security Agency (ENISA).[4]​.

• - R-Box: Solution for Information Security Management and compliance with standards. Risk Analysis and Management Module.[5]​.

• - Focal Point: platform for technological and operational risk management. Supports regulatory guidelines such as MAAGTICSI, ISO 27001:2013, among others. https://web.archive.org/web/20161009155348/http://aluxit.com/soluciones.html.

• - SECITOR: High-level Risk Analysis and Management Tool that allows comprehensive management of Information Security being a multi-framework system (ISO 27001, Data Protection, ENS, ISO 19001, etc.), in addition to real-time monitoring of the organization's security. http://www.secitor.com/ Archived April 20, 2017 at the Wayback Machine.

• - Computer security.

• - Computer.

• - Hacker.

• - Computer science.

• - Cybercrime.

• - Internet.

• - Internet in science fiction.

Literature

• - Information security management systems (2006). «Part 3: Guidelines for information security risk management» (in English).

The risk analysis process usually generates a document known as a risk matrix. This document shows the elements identified, the way they are related and the calculations performed. This risk analysis is essential to achieve correct risk management. Risk management refers to the management of the organization's resources.

There are different types of risks such as residual risk and total risk as well as risk treatment, risk evaluation and risk management among others. The formula to determine the total risk is:.

From this formula we will determine its treatment and after applying the controls we will be able to obtain the residual risk.

As described in BS ISO/IEC 27001:2005, risk assessment includes the following activities and actions:.

• - Identification of assets.

• - Identification of legal and business requirements that are relevant to the identification of assets.

• - Valuation of the identified assets, taking into account the legal and business requirements identified above, and the impact of a loss of confidentiality, integrity and availability.

• - Identification of important threats and vulnerabilities for the identified assets.

• - Evaluation of the risk, threats and vulnerabilities to occur.

• - Risk calculation.

• - Risk evaluation against a pre-established risk scale.

After carrying out the analysis we must determine the actions to take regarding the residual risks that were identified. The actions can be:

• - Control risk.- Strengthen existing controls and/or add new controls.

• - Eliminate the risk. - Eliminate the related asset and thereby eliminate the risk.

• - Sharing the risk.- Through contractual agreements, part of the risk is transferred to a third party.

• - Accept the risk. - It is determined that the level of exposure is adequate and therefore it is accepted.

Don't forget that in companies security begins from within. Training staff, creating standards-based norms, analyzing gaps and blind spots in logical security and information systems security.

It is essential to continuously create conflict scenarios with the participation of the company's management together with a security auditor; from these scenarios, measures can be achieved to avoid security events.

• - Asset. It is an object or resource of value used in a company or organization.

• - Threat. It is an event that can cause a security incident in a company or organization, resulting in potential loss or damage to its assets.

• - Vulnerability. It is a weakness that can be exploited with the materialization of one or more threats to an asset.

• - Risk. It is an incident or situation that occurs in a specific place in a specific time interval, with negative or positive consequences that can affect the fulfillment of objectives.

• - Analysis. Examine or decompose a whole, detailing each of the elements that make it up in order to determine the relationship between its principles and elements.

• - Control. It is a prevention and correction security mechanism used to reduce vulnerabilities.

This risk management process is a continuous process since it is necessary to periodically evaluate whether the risks found and whether they have an impact, a calculation must be made at the different stages of the risk. The mechanism that is reversed in the greatest number of organizations today is in the day-to-day effort. That is why carrying out project risk analysis refers to the project and the future impact on the organization's risk structure.

AA.

There are several tools on the market that can help you when evaluating risks, mainly in the risk assessment process. Once this process is completed, all the information collected must be documented for subsequent analysis. The tool that we must select must contain at least one data collection module, data analysis module, and another reporting module.

The importance of a good analysis and a good presentation of the analyzed data will lead us to an effective interpretation of the current risk situation and therefore, the selection of the controls that we must implement will be the most accurate in the selection process, saving costs in products and operating costs in addition to saving time.

• Minimum requirements for management, implementation and control of risks related to computer technology and information systems.

• Specifies the necessary requirements to establish, implement, maintain and improve an Information Security Management System (ISMS).

• This Standard provides guidelines for Information Security Risk Management in an Organization.

However, this Standard does not provide any specific methodology for information security risk analysis and management.

• International standard that serves as a reference for banking regulators, in order to establish the necessary capital requirements, to ensure the protection of entities against financial and operational risks.

• Promoted by the North American government in response to the mega corporate frauds promoted by Enron, Tyco International, WorldCom and Peregrine Systems. It is a set of measures aimed at ensuring the effectiveness of internal controls over financial reporting.

• Promoted by the main payment card brands, this standard seeks to guarantee the security of payment card holder data in its processing, storage and transmission.

Contenido

• - ITIL: Information Technology Infraestructure Library “proporciona un planteamiento sistemático para la provisión de servicios de TI con calidad”. (Jan van Bon, 2008).

• - COBIT 5: Significa (Objetivos de control para la información y tecnologías relacionadas) es una metodología publicada en 1996 por el Instituto de Control de TI y la ISACA (Asociación de Auditoría y Control de Sistemas de Información).

• - ISO 31000: Esta normativa establece principio y guías para diseñar, implementar mantener la gestión de los riesgos en forma sistemática y de transparencia de toda forma de riesgo, por ejemplo: financiera, operativa, de mercadeo, de imagen, y de seguridad de información.

• - Citicus One: software comercial de Citicus, implementa el método FIRM del Foro de Seguridad de la Información;.

• - CRAMM: “CCTA Risk Assessment and Management Methodology” fue originalmente desarrollado para uso del gobierno de UK pero ahora es propiedad de Siemens;.

• - ISO TR 13335: fue el precursor de la ISO/IEC 27005;.

• - MAGERIT “Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información” está disponible en castellano, inglés e italiano.[1]​.

• - CORAS: Consultative Objetive Risk Analysis System.

• - OCTAVE: “Operationally Critical Threat, Asset, and Vulnerability Evaluation” Metodología de Análisis y Gestión de Riesgos desarrollada por el CERT;.

• - NIST SP 800-39 “Gestión de Riesgos de los Sistemas de Información, una perspectiva organizacional”;.

• - NIST SP 800-30: Guía de Gestión de Riesgos de los Sistemas de Tecnología de la Información, es gratuito;.

• - Mehari: Método de Gestión y Análisis de Riesgos desarrollado por CLUSIF (Club de la Sécurité de l'Information Français);.

• - AS/NZS: Norma de Gestión de Riesgos publicada conjuntamente por Australia y Nueva Zelanda y ampliamente utilizada en todo el mundo.

Methodology information

CORAS.

Project developed since 2001 by Sintef, a Norwegian research group, whose objective is to provide a framework aimed at systems in which security is critical.[2]​.

It is a method for analyzing security risks, it structures the analysis of threats and risks using a specialized language, offering detailed guidelines on how to use this language to capture and model relevant information at each stage of the process.[2]​.

CORAS provides a tool designed to support documentation, maintenance and reporting of results in a consistent manner. This methodology provides detailed advice regarding which models should be built and how they should be expressed, as well as helping to reduce risks and measures to avoid them.[2]​.

Advantages of CORAS[3]​.

• - Follows a structured and defined process to ensure consistency in analyses; In addition, it uses tools for risk study.

• - It has a graphic editing tool for the design and creation of models. It has a language based on UML.

• - Use diagrams to represent risks.

• - Provides a report indicating the vulnerabilities found in the evaluation process.

Disadvantages of CORAS[3]​.

• - For large systems, there will be a considerable effort due to the amount of data.

• - Does not measure the degree of security.

• - Does not consider processes and dependencies in risk management.

• - Does not optimize the costs of information technologies.

• - Does not have a contingency plan.

Resources available on the different methodologies

• - In the English edition, while the first Book (Method) has evolved to version 3, the second and third books are downloaded in version 2 (download version).

• - In the Italian edition, we only have book I (Method), yes, in the latest version (Magerit v3).

• - GxSGSI: Risk Analysis and Management Tool based on Magerit and approved by the European Information Security Agency (ENISA).[4]​.

• - R-Box: Solution for Information Security Management and compliance with standards. Risk Analysis and Management Module.[5]​.

• - Focal Point: platform for technological and operational risk management. Supports regulatory guidelines such as MAAGTICSI, ISO 27001:2013, among others. https://web.archive.org/web/20161009155348/http://aluxit.com/soluciones.html.

• - SECITOR: High-level Risk Analysis and Management Tool that allows comprehensive management of Information Security being a multi-framework system (ISO 27001, Data Protection, ENS, ISO 19001, etc.), in addition to real-time monitoring of the organization's security. http://www.secitor.com/ Archived April 20, 2017 at the Wayback Machine.

• - Computer security.

• - Computer.

• - Hacker.

• - Computer science.

• - Cybercrime.

• - Internet.

• - Internet in science fiction.

Literature

• - Information security management systems (2006). «Part 3: Guidelines for information security risk management» (in English).