Risk analysis in accordance with BSI Standard 200-3 - (not only) as part of BSI IT baseline protection

The basic procedure for investigating security threats and their effects is a risk analysis. Within the BSI IT-Grundschutz process model, risk analysis describes the aspect of how institutions can “appropriately and purposefully manage” their information security risks. It logically follows on from the determination of how well security requirements have already been taken into account in the design of technology, processes and organizational structures in a company. These so-called “IT baseline protection checks” have already been covered in this blog article.

However, a risk analysis in accordance with BSI Standard 200-3 also has great benefits independently of the IT-Grundschutz framework. In the following, we will explain how such an analysis works, what to look out for and why we think it is good and important - regardless of other measures and frameworks.

Basic procedure for risk analysis in accordance with BSO Standard 200-3: Identifying risks in order to derive decisions

1. the starting point of the analysis is the creation of an **overview of the relevant threats to the institution that could impair information worthy of protection with regard to the three fundamental values of information security - confidentiality, availability and integrity. This evaluation takes place at the level of IT systems and applications, or even business processes. The IT-Grundschutz compendium provides a list of so-called elementary threats as an aid, which has established itself as “best practice” compatible with comparable compilations at international level. This can and should be supplemented by individually formulated scenarios.

2. the assessmentand evaluationof the resulting risks are then carried out. The first step in the risk assessment is to determine the probability of occurrence of the individual hazards and their impact on damage - using standardized thresholds. In the second step, the risk assessment, the actual risk is classified - also using a standardized categorization, which is often illustrated by the “risk matrix”.

3. in the next step of risk treatment, the first step is to define an individual acceptance threshold tailored to the respective company or institution. Below this threshold, risks are accepted because countermeasures are not sensible and economically justifiable for every risk category.

4. for the remaining risks, measures must be formulated to counter them. These can be roughly divided into the groups of avoidance, reduction and transfer of the respective risk. As recommendations for action, they are the result of the risk analysis.

Conclusions within the framework of the IT-Grundschutz methodology

The procedure model of IT-Grundschutz is designed in such a way that if the security requirements defined there as basic and standard are implemented by the institution in a typical IT system network and application scenarios, sufficient protection is guaranteed for information with a normal need for protection.

An explicit risk analysis is therefore only necessary here if:

• information within the systems or processes under consideration has a need for protection that goes beyond this - the information is therefore considered to be “particularly” worthy of protection in terms of its confidentiality, availability and/or integrity,
• there are no assignable pre-formulated security requirements in IT-Grundschutz for the system or process under consideration,
• the use case must be considered atypical for the selected security requirements of IT-Grundschutz.

The recommendations for action formulated as a result of the risk analysis then represent supplementary, individually tailored security requirements, the implementation of which must be checked.

Usefulness beyond basic IT protection

Even if a company has no other connection to BSI IT baseline protection, it is equally exposed to risks relating to business information worthy of protection. A systematic approach to analyzing the relevant threats and deriving measures to counter them can only be beneficial.

In this respect, it is also understandable that the topic of “risk management” is dealt with in a separate Standard 200-3 within the BSI IT-Grundschutz, which can also be used independently to a large extent.

Does this perhaps also make sense for your company or institution? SPIRIT/21 can provide you with expert support in assessing potential risks and deriving recommendations for action - within or outside the IT-Grundschutz framework - please contact us.