This preview has intentionally blurred parts. Sign up to view the full document

View Full Document

Unformatted Document Excerpt

TEL2813/IS2820 Security Management Risk Management: Identifying and Assessing Risk Feb 7, 2006 Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities of every manager within the organization In any well-developed risk management program, two formal processes are at work: Risk identification and assessment Risk control Knowing Our Environment Identify, Examine and Understand information and how it is processed, stored, and transmitted Initiate an in-depth risk management program Risk management is a process means - safeguards and controls that are devised and implemented are not install-and-forget devices Knowing the Enemy Identify, examine, and understand the threats Managers must be prepared to fully identify those threats that pose risks to the organization and the security of its information assets Risk management is the process of assessing the risks to an organizations information and determining how those risks can be controlled or mitigated Risk Management The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected (NIST) Implement Risk Management Actions Re-evaluate the Risks Identify the Risk Areas Assess the Risks Develop Risk Management Plan Risk Management Cycle Risk Assessment Risk Control (Mitigation) Accountability for Risk Management All communities of interest must work together: Evaluating risk controls Determining which control options are cost- effective Acquiring or installing appropriate controls Overseeing processes to ensure that controls remain effective Identifying risks Assessing risks Summarizing findings Risk Identification Process Risk Identification Risk identification begins with the process of self-examination Managers identify the organizations information assets, classify them into useful groups, and prioritize them by their overall importance Creating an Inventory of Information Assets Identify information assets, including people, procedures, data and information, software, hardware, and networking elements Should be done without pre-judging value of each asset Values will be assigned later in the process Organizational Assets Identifying Hardware, Software, and Network Assets Inventory process requires a certain amount of planning Determine which attributes of each of these information assets should be ... View Full Document

End of Preview

Sign up now to access the rest of the document