The success of the ISO's activities and the implemented information security policy is an event that did not occur. This is what makes it so difficult to evaluate the efforts made. Therefore, a fundamental acceptance for the implementation of security measures is necessary, so that it is not necessary to fight against attacks from the outside on the one hand and against internal obstacles on the other hand. Thinking about it only after damage has already been done is the wrong strategy.
A risk report can be used to weigh up the costs and benefits, and this results in the necessary steps for implementing a serious security process. A risk management system is used to isolate the danger points and to define the necessary measures to be taken in the event of a successful attack (catalog of measures). The security concept is based on a systematic process that identifies, analyzes, controls and communicates risks.
A modern risk analysis (risk is the product of probability of occurrence and amount of damage - so to minimize the risk, at least one of the two factors must be minimized) is therefore composed of the following steps, which must be carried out cyclically again and again:
Of course, all this is very labor-intensive, especially during the initial implementation, but also the constant system inventory and monitoring, as well as bringing the security precautions to the employees is very costly.
Before using certain techniques, precise security rules for a secure network and guidelines for the employees have to be created. These define the use of the tools deployed, as well as responsibilities and courses of action. The roles of the people involved must be clearly and unambiguously defined.