Risk & Compliancy

The structured assessment of risks and measuring of compliancy are key tasks in well-functioning IT security. By executing these tasks structurally, costs can be saved while simultaneously increasing the security level.

The risk that an organization runs in a certain area must be derived from a correlation between different information sources. First, it must be clear which and how many systems are vulnerable in the network and what the value of these systems is for the organization: What is the priority? In addition, it must be clear whether there are threats to the vulnerability, what type of threats these are and what the consequences could be. Using this combined knowledge, a risk determination can be put together that is the basis for deciding whether or not to protect the vulnerability in the short term.

If a well-substantiated risk assessment is NOT made, then there is a danger that vulnerabilities will remain unknown until they are exploited, or that too many resources will be dedicated to resolving vulnerabilities that are not at all critical. Moreover, a good risk analysis provides knowledge about the number of vulnerable systems, which is useful information if additional technologies would have to be acquired.

Measuring compliancy allows an organization to show that it is complying with the defined policy. What this policy looks like and which objectives need to be strived for is primarily to be determined by the organization itself. Of course, many sectors have applicable guidelines that more or less prescribe how to proceed with information security, such as NEN7510 in the health care industry. It is important enough to be able to demonstrate internally that agreements are being complied with, but with the system that is available for this can also show the security status on an external auditor.