El Risk analysis on the information security

Abstract

The purpose of this paper is to provide a set of conceptual thinking on information security and specifically on risk analysis and its importance in organizations. So, the most important and affected resource in any public or private, large or small organization, is the information collected, processed, stored and made available to users on computers and transmitted over networks, so that any organization must be alert and learn to implement security systems based on a risk analysis to prevent or mitigate the unintended consequences, because the risk is measurable. Risk analysis is a process that identifies threats and vulnerabilities of an organization with the goal of creating controls that mitigate or minimize the effects of risks, that involves to determine which assets to protect, from what or from who have to be protected and how to do it. The risk analysis should be made continuously since it is necessary to assess regularly whether the identified risks and exposure to those calculated earlier are still valid, and it is of vital importance because it can allow to identify future impacts on the risk structure of the organization. Internationally there is a standard, ISO 27005:2008 published in June of 2008, which establishes criteria for risk management of information security and provides a standardized framework that provides guidance in defining its own methodologies for each organization, this rule serves support to ISO 27001:2005 which provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a management system for information security (ISMS).