chapter07

chapter07 - Principles of Information Security 1-1 Chapter...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Principles of Information Security 1-1 Chapter 7 Risk Management: Identifying and Assessing Risk Chapter Overview Chapter 7 defines risk management and its role in the organization and allows the reader to begin using risk management techniques to identify and prioritize risk factors for information assets. The risk management model presented here allows the assessment of risk based on the likelihood of adverse events and the effects on information assets when events occur. The chapter concludes with a brief discussion on how to document the results of risk identification. Chapter Objectives When you complete this chapter, you will be able to: Define risk management and its role in the organization Begin using risk management techniques to identify and prioritize risk factors for information assets Assess risk based on the likelihood of adverse events and the effects on information assets when events occur Begin to document the results of risk identification Set-up Notes This chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Principles of Information Security 1-2 Lecture Notes and Teaching Tips with Quick Quizzes Introduction Information security departments are created primarily to manage IT risk. Managing risk is one of the key responsibilities of every manager within the organization. In any well-developed risk management program, two formal processes are at work: risk identification and assessment risk control Risk Management “If you know the enemy and know yourself, you need not fear the result of a hundred battles. “If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. “If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu This means identifying, examining and understanding the information and how it is processed, stored, and transmitted. Knowing Ourselves Armed with this knowledge, they can then initiate an in-depth risk management program. Risk management is a process, which means the safeguards and controls that are devised and implemented are not install-and-forget devices. This means identifying, examining, and understanding the threats facing the organization’s information assets. Knowing the Enemy Managers must be prepared to fully identify those threats that pose risks to the organization and the security of its information assets. Risk management is the process of assessing the risks to an organization’s information
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 15

chapter07 - Principles of Information Security 1-1 Chapter...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online