Information security risk management involves assessing possible risk and taking steps to mitigate it, as well as monitoring the result. Every assessment includes defining the nature of the risk and determining how it threatens information system security. This leads directly to risk mitigation such as upgrading systems to minimize the likelihood of the assessed risk. Finally, risk management includes monitoring the system on an ongoing basis to see if the risk mitigation interventions produced the desired results.
IT Self Defense Basics
An organization must ensure that it has the capabilities to accomplish its mission. It must identify risks that threaten those capabilities, and evaluate protective measures, keeping in mind the economic and other costs of those measures. One risk that most modern organizations face is compromised information security. An organization must identify where compromised information security would affect its capabilities to accomplish its mission and take appropriate corrective measures within its established budgetary framework.
Risk Assessment
When an organization determines that weaknesses in information security pose a risk to its capabilities, it must thoroughly examine its IT systems, operations, procedures and external interactions to find out where the risks lie. This means identifying possible threats, vulnerabilities to those threats, possible countermeasures, impact and likelihood. Risks can be classified as to severity depending on impact and likelihood. The importance of assessment is that it allows the identification of high risks that must be mitigated.
Risk Mitigation
Mitigation means reducing or eliminating the risks identified by the assessment. Strategies for dealing with the risk include accepting the risk, adopting measures which will lower the risk, avoiding the risk by eliminating the cause, limiting the risk by putting controls in place, or transferring the risk to a supplier, customer or insurance company. Which strategy is appropriate is determined by the extent to which the risk impairs the ability of the organization to fulfill its mission, and the cost of implementing the strategy. Structured mitigation is important as a framework for risk management.
Evaluation and Monitoring
Once assessment and mitigation have been completed, the organizational unit must evaluate the immediate result and monitor the system on an ongoing basis. This process starts with an evaluation of the effects of the assessment and mitigation, including the setting of benchmarks for progress. It continues with the evaluation of the effect of changes and additions to information systems. Finally, it performs continuous monitoring of information security performance, with the aim of identifying areas which may have to be assessed for additional risk. Evaluation and monitoring are important for determining how successfully the organizational unit has managed its information security risk.