Risk Management: Role in Security and Establishes the Importance of Assets Within a Company
How it works
According to the Principles of Information Security, “risk management is the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.” Risk management plays an important role in security and establishes the importance of assets within a company. Financial and economic decisions made by a company are heavily influenced by the way risk management is handled. There are many important aspects to risk management, such as: risk identification, risk assessment, and risk control.
Before going over these aspects, it is important to establish the role of risk management in the C.I.A. triad. The C.I.A. triad is the industry standard for computer security (Whitman & Mattord). It is important to balance the three basic concepts of the C.I.A. triad: confidentiality, integrity, and availability. It is the job of the risk management policy to properly balance these three ideas within an organization. The organization must consider their environment and the legality of each aspect when applying risk management.
The first major undertaking of risk management is risk identification. Risk identification is a long process that involves understanding your environment and possible vulnerabilities. First, identify all assets and keep inventory of them. Any systems that involve information must be secured due to their value and possible vulnerabilities. Assets include, but are not limited to, people and information.
Each asset must be given different levels of priority based on the environment. When collecting information for asset identification, you want to collect the most important aspects. A few examples may be: name, ID, description, owner, purpose, backup procedures, etc. For hardware, software, and network identification, you will want to collect names, IP addresses, MAC addresses, serial numbers, and the type of device. It may be a good idea to keep a record of the model number from the manufacturer as well. Once this process is completed, you should identify possible vulnerabilities for each asset or asset type. Networking and data vulnerabilities are high priority since they greatly affect the success of the environment.
Once risk identification is completed, risk assessment is the next step in risk management. An assessment prioritizes assets and risks based on the company environment. An organization must secure their devices based on the asset’s importance to the success of the organization. Organizations need to determine the amount of risk they can take. This is calculated using the likelihood and impact of loss.
How much data can be lost and how likely is it that data loss will occur? After these questions have been answered, the organization can calculate their risk based on these percentages. Once this process is finished, the data must be documented and items ranked based on what needs more protection. More sensitive data or data that is critical for success are typically high priority concerning protection.
After risk assessment, risk control involves steps taken to reduce the impact and likelihood of risks to an acceptable level. An organization must establish strategies for mitigating risk, justify it to upper management, and apply the strategy once approved. When selecting control strategies, consider the environment, the success of the company, and the priority list made from the previous steps.
Higher-priority assets should be given more attention, as these are more critical to the success of the organization. Sometimes, mitigating risk can be as easy as adopting policies and training members. To propose these control strategies to upper-level management, you will need a compelling case based on the political and economic status of the organization. There are many cost-benefit analyses that can be calculated to help make a case for appropriate security. Be sure to include other costs that may come with implementing these strategies, such as education costs, maintenance costs, etc.
Once controls have been implemented, the process isn’t complete. Controls will need to be maintained and updated, new assets will need to be identified and assessed, and controls will need to be put in place to keep assets secure. Many tests can be performed to keep security up to date. Performing a periodic review, based on the current organizational structure and assets, can be a good way to stay secure. Organizations can log records and take measurements based on activities and numerical data. Use this data to monitor and adapt the asset security priorities.
In conclusion, risk management is important for an organization’s success. The loss of data can lead to legal issues, financial issues, or other detrimental issues for an organization. Maintaining the C.I.A. triad in a balance appropriate for the environment is one of the many steps to keeping assets secure. Risk can be managed by following through with identification, assessment, and application of controls. Maintenance and reviews are necessary to stay up-to-date with current day risks and maintain security.