Infoturbe riskijuhtimine finantsettevõttes
Abstract
Infoturbe riskihindamine finantsinstitutsioonis on oluline, et mõista ettevõtte varade konfidentsiaalsuse, tervikluse ja käideldavuse riskipositsiooni. Kolmandate osapooltega seotud riskide olulisus on finantsinstitutsioonide jaoks kasvanud. Ettevõtete soov on tagada informatsiooni turvalisus optimeerides samal ajal efektiivselt investeeringuid. Täna on valdavalt kasutusel meetodid, mis tuginevad ekspertide arvamustele ja individuaalsetele hinnangutele, mistõttu kajastavad tulemused vaid limiteeritud vaadet eksisteerivatele riskidele. See on probleem, sest ettevõtted ei soovi teha suure mahulisi investeeringuid turvalisusesse ilma võimalikult täpselt riske hindamata. Käesolevas uurimistöös on käsitletud kahte infoturbe riski hindamise meetodit: ISSRM ja Bayesi võrkudel põhinevat ründepuud. Käsitledes kolmandate osapooltega seotud allhanget kui äriprotsessi, on koostatud süsteemne võrdlus nende meetodite kohta ning hinnatud allhanke korral tekkida võiva riski suurust organisatsioonile. Pakutud on soovitused, kuidas ühendada infoturbe riskijuhtimise metoodika tõenäosusliku riskihindamise metoodikaga. Tulemused on hinnatud valdkonna spetsialistide poolt.
Information security risk assessment in a financial institution is important for understanding risk exposure to the confidentiality, integrity, and availability of assets. Third-party security is recognized to have a growing importance for financial sector organizations. A financial institution aims for securing information while justifying budgeting decisions. Unfortunately, commonly used methods are dependent on value judgments and individual assurances which limit their reflection of existing uncertainties in reality. This is a problem because organizations do not want to allocate resources into security without accurately estimating their exposure to risks. The paper introduces two information security risk assessment methods: Information System Security Risk Management method and Bayesian Networks Based Attack Graphs. A systematic comparison of the methods is made in the context of third-party outsourcing. A proposition of how to combine a security risk management method together with a probabilistic risk assessment method has been made. Feedback and validation have been given by experts in the field.
Information security risk assessment in a financial institution is important for understanding risk exposure to the confidentiality, integrity, and availability of assets. Third-party security is recognized to have a growing importance for financial sector organizations. A financial institution aims for securing information while justifying budgeting decisions. Unfortunately, commonly used methods are dependent on value judgments and individual assurances which limit their reflection of existing uncertainties in reality. This is a problem because organizations do not want to allocate resources into security without accurately estimating their exposure to risks. The paper introduces two information security risk assessment methods: Information System Security Risk Management method and Bayesian Networks Based Attack Graphs. A systematic comparison of the methods is made in the context of third-party outsourcing. A proposition of how to combine a security risk management method together with a probabilistic risk assessment method has been made. Feedback and validation have been given by experts in the field.