Συγκριτική μελέτη ανάλυσης επικινδυνότητας
Χαλβατζή, Ευτυχία Ι.
The rapid development of information technology and its widespread use in the opera¬tional environment has facilitated maximum operational efficiency, but, at the same time, it has introduced many important issues concerning the security of information systems of an enterprise. These issues relate mainly to ensuring confidentiality, integrity and availability of business information against the risks lurking and threatening those three basic security principles. The challenges of the times in which we live are related to compliance with laws and regulations, the use of new technologies, and in a particularly high number of new threats and new users on security issues (mostly untrained). Security incidents are increasing and this leads to finding solutions for the preservation of the data, making more necessary than ever the task of protecting information systems. The solution to the above problem is risk analysis which helps in identifying, assessing and evaluating the risks and the provision of adequate decisions (measures) in terms of the actions that need to be done to prevent or reduce the risk to acceptable levels. This thesis deals with the analysis and management of risk and specifically to the study and comparison of two methods of risk analysis. This process enables the identification of the critical assets of a system, the potential threats, vulnerabilities and proposes some protection measures (countermeasures) that ensure the secure operation of the system. The system that we used for the study is an existing IT system of a Greek company. The company management requested not to reveal the company’s identity. The study was performed using the methods, namely CRAMM (CCTA Risk Analysis and Management Method) and OCTAVE Allegro (Operational Critical Threat, Asset and Vulnerability Evaluation). Firstly, a description of the infrastructure that has been studied is given, whereby the assets of the company are described in detail; then we study the threats that the systems face and the relevant vulnerabilities. Subsequently we calculate the degree of risk of the Information System and we develop a comprehensive security plan for the company, that includes both the proposed countermeasures and the security policy of the company. Finally, we provide a comparison of these two risk analysis methods.