Authors: Sajad Abedi and Mahdi Mohammadi
Due to the increasing role of information security in the management of any society, public and private organizations and institutions are inevitably required to provide the necessary infrastructure to achieve this. In addition to material resources, management techniques also have a great impact on the optimal and successful implementation of information security management systems. The recording of management standards in the field of ICT information security can be designed in a planned way to change the security situation of organizations according to the needs of the organization and ensure security in terms of business continuity and to some extent at other levels (crisis management and soft war). Despite extensive research in this area, unfortunately for various reasons, including the level of security of the issue for governmental and non-governmental institutions or the direct relationship of the field with their interests, clear and useful information on how to implement and prioritize the implementation of a system over the years. The past has not happened until today.
The protection of the organization’s information resources is essential to ensure the successful continuation of business activities. The fact that information and information assets play a key role in the success of organizations has necessitated a new approach to protecting them. Until now, risk analysis and management has been used to identify the information security needs of the organization. After analyzing the risks, security controls were identified and implemented to bring the risks to an acceptable level. But it seems that risk analysis is not enough to identify the information security needs of the organization. Evidence of this claim is that risk analysis does not take into account legal requirements, regulations and other factors that are not considered as risk, but are mandatory for the organization.
Identifying, assessing and managing information security risks is one of the key steps in reducing cyber threats to organizations and also preventing the unfortunate consequences of security incidents that make organizations more prepared to face cyber risks. The risk assessment process, which is the first phase of a set of risk management activities, provides significant assistance to organizations in making the right decision to select security solutions. Risk assessment is actually done to answer the following questions: * If a particular hazard occurs in the organization, how much damage will it cause? * What is the probability of any risk occurring? * Controlling how much each risk costs. Is it affordable or not? The results of risk assessment can help in the correct orientation in choosing solutions (which is to eliminate the main threats) and can also be used in formulating and modifying the security policies of the organization. Risk management is a comprehensive process used to determine, identify, control, and minimize the effects and consequences of potential events. This process allows managers to strike the right balance between operating costs and financial costs, and to achieve relevant benefits by protecting business processes that support the organization’s goals. The risk management process can greatly reduce the number and severity of security incidents that occur in the organization. Risk management has 5 steps, which are: 1. Planning: At this stage, how to manage potential risks in the organization is determined and completed by developing a risk management plan. This plan defines the risk management team, defines the roles and responsibilities of individuals and the criteria for assessing identified risks. Documented. 2. Identification: At this stage, team members gather around each other, identify potential hazards, and record them in the organization’s risk list. Arranging group brainstorming sessions is a good way to identify hazards 3. Assessment: In this step, the assessment of identified risks is performed using the criteria defined in the risk management plan. Risks are assessed based on their probability of occurrence and possible consequences.