The methodology proposed through Risk In Deep is essentially based on a qualitative assessment model and is aimed at identifying the level of Inherent (or Potential) Risk, expressed in the 3 components of Confidentiality, Integrity and Availability, which is imposed on each Entity connected to a Process (Data, Systems, Archives, etc.). The Inherent Risk is measured without considering the security measures in place.
The identification of the Inherent Risk (Risk Assessment) makes it possible to determine which logical, physical and organisational security controls must be adopted to reduce the Inherent Risk to the levels of Residual Risk that the customer deems appropriate to accept (Risk Management).
Inherent Risk Calculation
The methodological approach chosen by Risk In Deep is based on the principles and guidelines dictated by the ISO 31000 standard and on the Information Risk Assessment Methodology 2 (IRAM2), a methodology produced by the Information Security Forum (ISF).
The methodology allows to assess the risk of the different corporate entities that cooperate in a business process and allows the management and monitoring over time of the security measures necessary to contain this risk. This result is obtained by exploiting the power of representation offered by the methods of link analysis. In a nutshell, the elements are combined and contribute to the calculation of the Inherent Risk for each entity involved in the processing of personal data or more generally in the business process.
Threats and Vulnerabilities
The Inherent Risk is also assessed through the threats and vulnerabilities associated to each type of Entity.
Entity Attributes
The Inherent Risk is assessed through the values assigned to numerical attributes: for example, Process Classification, Impact on data and effects within possible Risk scenarios (Business, Image, Legal, Rights and Freedoms of the interested parties, etc.).
