A Computer Security Incident is an event that occurs in a system and which constitutes a threat to the company's business or for its employees security or privacy. Risk management is essential for good corporate governance. It enables an organization to address the risks to which it is subject with lower costs. Risk can be defined as the combination of the probability of an event happening and its consequences on the organization's objectives. Risks can be external or internal and sorted by strategic, operational or financial nature.
A risk management process should follow a logical structure:
- Risk Assessment
- Risk Analysis - Risk Identification (assets, vulnerabilities, threats, consequences, existing controls; risk register)
- Risk estimation
- Risk assessment
- Risk Treatment
- Risk reduction
- Risk retention
- Risk avoidance
- Transfer of risk
- Risk acceptance
- Monitoring and review
- Communication and consultation
To minimize costs in any IT services availability failure is crucial having a plan for the prevention, detection and incidents response. In coordination with the company and contractually guaranteeing the necessary confidentiality, we may perform different types of attacks in order to identify and understand if they are detected in time by the company and what their degree of maturity regarding their responsiveness to the identified threat.