Information security risk management
Due to the growing number of cyberattacks, modern organizations are increasingly exposed to information security (IS) risks that can lead to financial, reputational, or operational losses. Organizations that want to mitigate the negative impact must be proactive in ensuring their cyber security. An effective IS risk management process will help them in it, addressing the following questions: "What and how should we protect, and what would be a reasonable investment in it?".
How EY can help
Our team of experts assists clients in developing and implementing an IS risk management process to timely identify, assess and handle risks that could compromise the confidentiality, integrity and availability of critical information.
Since this process is continuous and cyclical, as part of a collaborative project, we go through the first cycle together with the client's team to establish the process and prepare them for further independent work.
After a project with us, clients can answer the following questions:
- What information exists and what is its level of criticality?
- What losses may they face because of disclosure, unauthorized modification, or destruction of critical information?
- What are the threats targeting critical information, its storage and processing locations, and what is the likelihood of these threats being realized?
- What protective measures should be implemented to mitigate the potential damage or reduce the likelihood of threats being realized, and what is the associated cost of implementing these measures?
We help our clients understand what protective measures are economically feasible, considering information about the identified risks, their level and possible losses for the company.
What we do
In order to successfully implement and establish the process of IS risk management, we perform the following tasks together with the client's team:
No mature process can work effectively without clearly defined rules and responsibilities. That is why we always start our projects by updating the existing or developing a new methodology, which includes a detailed description of all process steps, input and output information required to perform each step, roles, and responsibilities.
We define the information that is created and processed in the company, its storage and processing locations, as well as the users who should have access to and work with it inside and outside the company.
After identifying what information the company has, its criticality is determined, taking into account the type and level of losses due to disclosure, unauthorized modification or deletion of information.
We identify vulnerabilities in the places where information is stored and processed, as well as threats that target them. For each identified threat, we estimate the likelihood of its realization, taking into account the protective measures implemented in the company. Based on this information, we determine the criticality level of IS risks.
Once all risks are identified, they are analyzed and risk treatment measures are chosen for them - acceptance, transfer, mitigation, or avoidance. The next step is to develop the necessary risk mitigation measures, budgets and implementation plans.
Our team has huge experience in the implementation of various information security projects, including information security risk management projects. The Ukrainian team has completed more than 10 such projects over the past 5 years for leading local companies in their field. To form our approach, we use leading practices of information security, in particular, ISO 27001, NIST Cybersecurity Framework, and others.
Interested in the changes we have made here,
contact us to find out more.