🤔 Benchmark InfoSec Risks
Salut, you and I once looked at a case on information security risks here, and now I think it’s time to deal with the benchmark information security risks.
I will give a typical description and classification, that is, it is universal and can be adapted to a specific project and/or case.
The key goal is to reduce the level of risk in cases where it threatens business processes.
The process describes the practice of Shift Left (early involvement) at the stages of design, development of technical solution and changes to the architecture. Serves as a source of requirements at the level of inclusion in the PRD, we considered it here. Main stages of the process: Identification, Analysis, Risk Treatment, Control and Monitoring.
The approach allows
- Control the scaling of the product
- Timely identify and cover risks associated with unacceptable events
- Optimize risk mitigation measures
- Determine the minimum sufficient amount of measures necessary to effectively deal with risks at subsequent stages
The objectives of information security risk management are:
- Timely and complete identification of factors that could lead to the emergence of new or changes in the level of current risks at all stages
- Development of optimal and minimally sufficient, necessary resources and effectiveness of measures to ensure information security
- Ensuring timely and complete implementation of measures
- If requirements, architecture change, it is impossible to implement previous information security measures, legislation or market conditions change - review and update the conditions, therefore several alternative solutions are proposed
Measures are divided depending on the specifics of the relevant information security requirements, including conditions, restrictions and feasibility, which are divided into: pre-conditions, post-conditions
Strategies for dealing with information security risks
- Acceptance: a conscious decision to accept a risk without additional measures if the current level of risk is within the acceptable level established by the company’s internal policy
- Delegation: transferring responsibility for risk to a third party (for example, through cyber risk insurance or outsourcing services with appropriate SLAs)
- Avoidance: complete avoidance of risky activities
- Minimization: development and implementation of an action plan to reduce the current level of risk to the target level
For fintech, key standards and practices in the Russian Federation for 2025
- Bank of Russia standards: the principle of proportionality is established, which implies that the scale of risk management measures must correspond to their potential damage (impact) to business and clients
- ISO 31000:2018 “Risk management. Principles and Guidance: Defines risk as “the effect of uncertainty on objectives,” where “impact” is a deviation from what is expected (either positive or negative). Risk assessment according to ISO 31000 includes analysis of consequences (impact) and likelihood (likelihood)
- FAIR (Factor Analysis of Information Risk): expression of risk in financial indicators (rubles). FAIR directly focuses on assessing the magnitude of potential losses (scope of damage) from an incident, rather than the speed at which they are realized. This allows you to justify your security investments in a language that business understands.
Total: you now have a tip on standards and practices for fintech in the Russian Federation - the principle of proportionality and focus on impact), assessment of consequences, assessment of damage in monetary terms. This principle is shared by all professional risk managers - it is the potential scale of damage (in money, reputation, clients, downtime) that is the primary factor for determining the criticality of the risk and allocating resources for its management and compensation. The benchmark itself will help you more easily implement and assess risks within the company you are in ;)
#devsecops #pmi #reco #specialty #riskanalys #pmcases #compliance #gost