Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Risk Management

Risk is the chance that something can go wrong or of an adverse event taking place. In the context of information security, risk is something which can impact the availability, confidentiality, or integrity of business or personnel information. Examples of some of the common risks include: laptops being stolen and the data on them being stolen, a person tail gating somebody stealing some critical files, or a person who got the credentials through social engineering means gaining access to the server and copying confidential data, or somebody tapping into the network and modifying the messages being sent, or somebody physically stoning or ransacking the building during a riot, or that of natural hazards like floods. Threats are the risks. Risks need to be proactively managed.

There are various methodologies to carry out risk assessments by the organization. Organizations are also free to come up with their own risk assessment methodologies depending upon their context and their experience. We are exploring one such methodology that is easy to use and practical and has been effectively used for some time.

First, risks need to be identified. Then they need to be analyzed for the probability of their occurrence and the impact if they do happen. Based on the probability of their occurrence and the impact if they happen, the risk exposure or risk level has to be decided. Depending upon the risk exposure of the organization to any particular risk, the risk has to be either avoided, transferred, mitigated, or accepted. Risk can be accepted only when the organization is exposed to minimal risk that it can sustain. Where the risks are decided to be mitigated, additional controls to mitigate them have to be determined. It is normally necessary at this point to determine the additional controls, but it is also extremely important to ensure that these controls are effectively deployed and their continued effectiveness is monitored and ensured.

Organizational internal and external context may vary from time to time, maybe due to a competitor environment or due to legal changes or may be due to the way the business is done or else due to the technological changes.

The risks in the revised context need to be analyzed and additional controls need to be implemented as required to ensure that the organization continues to drive sufficient controls to protect information security. It is recommended that each organization has its own clearly defined risk assessment methodology which drives the risk assessment in the organization. This should cover the entire process of risk assessment including the acceptable risk exposure value and guidelines on various risk responses. Figure 5-1 illustrates the risk assessment life cycle.

Figure 5-1. Risk Assessment Life Cycle

Again, we have seen some organizations using the asset value to calculate the total financial impact. We have seen this approach failing mostly because of lack of accurate asset value. Further, some organizations also try to assess the business impact of the risks in financial terms. Again, as we have seen, it turns out to be mostly guess work rather than based on uniform, good, prudent ways.

In view of the preceding information, we have provided a simple, practical way that works for most of the organizations, which at the same time uses best in class practices from various guidelines and standards including from ISO/IEC 27001:2013 – Information Security Management System – Requirements.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science