{"id":15444,"date":"2024-09-16T14:15:00","date_gmt":"2024-09-16T12:15:00","guid":{"rendered":"https:\/\/oberender.com\/unkategorisiert\/information-security-part-3-information-inventory-and-risk-management\/"},"modified":"2024-10-07T12:20:47","modified_gmt":"2024-10-07T10:20:47","slug":"information-security-part-3-information-inventory-and-risk-management","status":"publish","type":"post","link":"https:\/\/oberender.com\/en\/blog-en\/information-security-part-3-information-inventory-and-risk-management\/","title":{"rendered":"Information Security Part 3 – Information Inventory and Risk Management"},"content":{"rendered":"\n

Great – you’re still at it: you’ve dealt with the importance of information security and set up an organization for it.\nNow let’s start with one of the most important components, the risk management system<\/strong>. <\/p>\n\n

The first step in the implementation process is to take stock of your information.\nMore on this in a moment.\nYou can assign the task to your newly created organization and then have it report back to you. <\/p>\n\n

Risk management terms briefly explained<\/h3>\n\n

While you have given this task to the organization, we would like to explain some risk management terms to you, because you will be confronted with them in the course of further development and you will be making decisions about them.\nIt’s about risk, how to make it measurable and how you deal with it strategically: <\/p>\n\n

    \n
  1. Risk capacity:<\/strong> This is the maximum impact of an emerging risk on your company that the company can just about bear without jeopardizing its existence.<\/li>\n\n\n\n
  2. Risk appetite:<\/strong> These are risks that a company must and wants to take as part of its strategy.\nYou can also simply say that no company can be successful without taking risks.\nYou should be aware of these. <\/li>\n\n\n\n
  3. Risk tolerance:<\/strong> This is the expression of the fluctuation range around the risk appetite that a company is willing to take<\/li>\n\n\n\n
  4. Residual risk:<\/strong> In the real world, nothing is without risk.\nOf course a meteorite can fall on your data center!\nThe risk is small, but not zero! <\/li>\n<\/ol>\n\n

    These indicators or key figures are important for the risk assessment in the following steps.\nThis is because you will have to decide how to deal with identified risks.\nThe figures mentioned above will help you to classify them. <\/p>\n\n

    Now it’s time to get started with the inventory.<\/h3>\n\n

    For the information inventory, it is best to start with the business processes and define what, where and how is processed, generated and stored. <\/p>\n\n

    The “where<\/strong>” should also include organizational and spatial details.\nThe “how<\/strong>” should also include the communication structure and you can summarize the “what” if you can be sure that risks have the same effect on a group of information (e.g. everything in a HIS system).\nYou can also use your existing data protection procedure directory as a source of knowledge for these considerations. <\/p>\n\n

    At this point, you have defined the context according to ISO\/EC 27005 and set the starting point for risk identification, completed the modeling of the context according to the MONARC method, defined the conceptual model of the governance framework in COBIT and fulfilled at least 18 essential MUST items according to the B3S for hospitals.\nYou and your employees are well on your way! <\/p>\n\n

    Risk management starts after the inventory has been created<\/h3>\n\n

    Once you have created your inventory, you can start to delve deeper into risk management.\nFirst, consider the value of the information for your company.\nTake strategic, economic, legal and medical perspectives into account.\nFor example, what are the consequences of <\/p>\n\n