ARAT RISK ASSESSMENT TOOL CASE STUDIES

Case Study No1: Slovenian Environment Agency is using ARAT Risk Assessment Tool to manage its risk assessment

As the national environment organization, Slovenian Environment Agency had to take a systematic approach to information security. This systematic approach is based on a high quality risk assessment. Astec Risk Assessment Tool (ARAT) is a user-friendly application which enables the use of standard methodology, provides required flexibility and offers clear overview of results.

Slovenian Environment Agency

Slovenian Environment Agency performs professional, analytical, regulatory and administrative tasks related to environment on the national basis. The Agency is monitoring, analyzing, and forecasting natural phenomena and processes in the environment, and thus reducing natural damage to people and their property. In this field of work, there are three offices: Meteorological Office, Hidrology and State of Environment Office, and Seismology and Geology Office.

Why Risk Assessment?

The diversity of business processes and complexity of information system in Slovenian Environment Agency implied a systematic approach to information security management system implementation. In the scope of ISMS implementation by ISO/IEC 27001, they recognized risk assessment as the key tool for assessing security risksto information assets, identifying the most critical risks, and accepting appropriate security solutions and policies for reducing and eliminating inacceptable risks.

ARAT Risk Assessment Tool

ARAT risk assessment tool was helpful for process management from the assessment of required input data to the risk calculation and management. Simple methodology, threat and vulnerability catalogues integrated in ARAT, enabled fast and efficient risk assessment despite the size and complexity of organization.

Risk Assessment Results with ARAT

The Agency was aware of security deficiencies, but they were not able to classify them according to criticality, priority, and profitability. The risk assessment conducted by the ARAT revealed the most critical security weaknesses in Agency’s organizational procedures and technical mechanisms, and helped them prioritize its projects. Based on the risk analysis results, the Agency made an action plan which was used to justify the investments in certain areas of information technology.

Polonca Blaznik, Ph.D., Chief information officer

»The Agency was looking for risk assessment tool that would provide understandable methodology and transparent results. The ARAT tool turned out to be beneficial in coping with large amount of data and complexity of results. 

The estimated risks are represented in a table that offers a transparent overview over all information security risks in Environmental Agency, and can be used to inform high management about needed priorities to achieve the required level of information security in the Environmental Agency.«

Mina Žele, PhD, Astec, CISA and ISO/IEC 27001 revisor, responsible for the execution of risk analysis

“ARAT simplified the execution of risk analysis, which is a very complex process in an organization as big as Slovenian Environment Agency. Next year, when we will make a new risk assessment, we will easily compare the new results with the previous ones, and in such way monitor the improvement of information security.”