InfoSaaS Launches its Cloud-Based IT Risk Management Software

24 November 2014 – InfoSaaS Limited: The "Information Security as a Service" company has announced the launch of its new ISO27001 cloud-based risk assessment software.

It has been designed to enable customers to quickly, simply and cost effectively identify and manage their IT security risks, whilst also making a substantial contribution to their achievement and retention of ISO27001 certification, the international standard for information security.

A combination of high-profile security breaches, increasing data protection legislation and demand from customers to prove that their data is appropriately protected is driving many organisations to realise the need to properly secure their valuable data.

Based upon a proven methodology that has delivered many successful ISO27001 certifications, InfoSaaS enables its customers to identify assets and risk assess their vulnerabilities and threats, which enhances their capability to implement and manage appropriate security controls.

Removing the need for customers to procure, deploy and manage their own hardware and software solution, InfoSaaS is cloud-based which provides security, flexibility and cost effectiveness. This intuitive product is readily accessible from any device type, anywhere, anytime, offering a single pane of glass to view an organisation's information security status.

John Godwin, CEO InfoSaaS, said: “As organisations and individuals entrust more of their valuable information to IT systems, it is vital that data security is understood and properly managed. With new vulnerabilities and threats being reported on a daily basis, the development and operation of an Information Security Management System is one of the most important commitments an organisation can deliver to protect its business activities and its customers.”

Godwin continues: “Traditionally, achieving ISO27001 certification has been a challenge for many organisations, often due to the lengthy nature of the preparation and the common need to engage specialist resources. At InfoSaaS, we have commoditised many years of practical ISO27001 implementation experience into a user-friendly service, which has already helped a number of organisations to successfully realise their information security objectives.”

InfoSaaS is headquartered in the UK, whilst delivering options for an international service offering which allows customers to retain data within their operating territory.

About InfoSaaS

InfoSaaS is an innovative information security software provider, deploying cloud based services globally. Combining over 20 years of IT risk management experience with the latest in web technologies, InfoSaaS, aims to simplify the ISO27001 certification process for its customers.

For further information, please contact:

InfoSaaS Ltd, 145-157 St John Street, London, EC1V 4PW, UK
T: +44 (0) 203 474 1290
E: info@infosaas.uk or visit: www.infosaas.uk

Developing an Appetite for Risk?

Risk assessment methodologies such as InfoSaaS are based around calculating levels of risk, and comparing the result against pre-defined levels determined by the organisation as being their “risk appetite”. But what does this term actually mean, how it is calculated and how does it become a pragmatic yet effective foundation to your Information Security Management System?

From the outset, having an appetite for risk is a strange concept to many, who quite reasonably believe that nobody would willingly accept a risk if it was in any way avoidable, or similarly how can there be a value applied to risk which is, by its very nature, very difficult to assign a number to? To put these opinions into context, information security risk management unfortunately has to deal with a wide selection of potentially “bad things”, from power outages to credit card fraud and component failure to employee theft (amongst many, many more). It is easy to see, therefore, that the effort involved in managing risks is always going to incur cost and effort, as the best result that you can hope to achieve is the predicted events not happening, or business as usual.

Risk appetite is built around the reasonable assumption that not every identified risk should be dealt with at all costs: some will be disproportionately expensive to resolve, and some will have such a low impact on your organisation that implementing complex controls as directed by a policy may be assessed as simply not being an appropriate use of time and money. So how can you determine risk appetite in a pragmatic fashion?

Firstly, how would your organisation like to assess the impact if something bad were to happen? For many this has a direct currency alignment – “we have contingency to fix things if the cost is below £10k, but above that we’d have to divert funds from live operations”. The latter would affect ongoing business if live operations are impacted, so in its crudest form we’ve determined the sort of events that would be acceptable to the organisation, vs. those where we need to simply take a little more care to make sure that they can’t happen. Another method could be to assess the negative impact on the organisation’s credibility or brand reputation for certain events, and identify which need to be avoided at all costs, as a matter of business survival, vs. those that events that customers won’t even notice.

Next, to add some justification to these decisions, by looking at probability and impact. Probability can be assessed by looking for similar events in comparable industries, or assessing media reports of incidents and breaches to see if your organisation could be similarly affected in the future. As noted in the previous paragraph, impact can be measured in hard cash (cost to put right) but is also likely to factor in unwanted negative publicity and resultant competitor advantage.

Most risk assessment methodologies employ a probability vs. impact comparison to determine whether a risk is acceptable – i.e. does the calculated risk fall above or below the organisation’s risk appetite? Within InfoSaaS we use a 5x5 matrix, with corresponding values between 1 and 25. An event that is extremely likely to happen, and even if it did nobody would notice or be affected would be graded as “1”. However, a negative event that is definitely going to happen, and when it does the continued operation of the business is called into question would be graded as “25”.

In our experience, the Senior Management of most organisations will set an acceptable risk limit (or have a risk appetite) of somewhere between “7” (very cautious) through to “12” (more bullish), although we have seen values either side of these. Our own ISMS operates as a “10”. In its simplest form, numbers below 10 (lower probability, lesser impacts) will be accepted as part of the risks of delivering normal business, whilst anything above 10 (more likely to happen, with a greater impact) needs to be carefully looked at to see if better security controls can be implemented, or whether existing security controls need to be delivered in a more effective way.

If your organisation is struggling with delivery effective risk assessments, you should consider taking a free trial of InfoSaaS to see how our solution helps achieve meaningful results. If you would like to find out more about us, please visit our website at www.infosaas.uk or call 0203 474 1290.