Risk Management: Role in Security and Establishes the Importance of Assets Within a Company
According to the Principles of Information Security, “”risk management is the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.”” Risk management plays an important role in security and establishes the importance of assets within a company. Financial and economic decisions made by a company are heavily influenced by the way risk management is handled. There are many important aspects to risk management such as: risk identification, risk assessment, and risk control.
Before going over those aspects, it is important to establish the role of risk management in the C.I.A. triad. The C.I.A. triad is the industry standard for computer security (Whitman & Mattord). It is important to balance the three basic concepts of the C.I.A. triad: confidentiality, integrity, and availability. It is the job of the risk management policy to properly balance these three ideas within an organization. The organization must consider their environment and the legality of each aspect when applying risk management.
Our writers can help you with any type of essay. For any subjectGet your price
How it works
The first major undertaking of risk management is risk identification. Risk identification is a long process that involves understanding your environment and possible vulnerabilities. First, you want to identify all assets and keep inventory of them. Any systems that involve information must be secured due to their value and possible vulnerabilities. Assets include but are not limited to: people and information.
Each asset must be given a different levels of priority based on the environment. When collection information for asset identification, you want to collect the most important aspects. A few examples may be: name, ID, description, owner, purpose, backup procedures, etc. For hardware, software, and network identification, you want to collect names, IP addresses, MAC addresses, serial numbers, and the type of device. It may be a good idea to keep a record of the model number from the manufacture as well. Once this process is completed, you should identify possible vulnerabilities for each asset or asset type. Networking and data vulnerabilities are high priority since they affect the success of the environment greatly.
Once risk identification is completed, risk assessment is next step in risk management. An assessment prioritizes assets and risks based on the company environment. An organization must secure their devices based on the asset’s importance to the success of the organization. Organizations need to determine the amount of risk they can take. This is calculated using the likelihood and impact of loss.
How much data can be lost and how likely is it that data loss will occur? After these questions have been answered, the organization can calculate their risk based on these percentages. Once this process is finished, the data must be documented and have items ranked based on what needs more protection. More sensitive data or data that is critical for success are typically in high priority concerning protection.
After risk assessment, risk control is the steps taken to reduce the impact and likelihood of risks to an acceptable level. An organization must establish strategies for mitigating risk, justify it to upper management, and apply the strategy once approved. When selecting control strategies, consider the environment, success of the company, and the priority list made from the previous steps.
Higher priority assets should be given more attention as those are more critical to the success of the organization. Sometimes, mitigating risk can be as easy as adopting policies and training members. To propose these control strategies to upper level management, you will need a compelling case based on the political and economic status of the organization. There are many cost-benefit analysis that can be calculated to help make a case for appropriate security. Be sure to include other costs that may come with implementing these strategies such as: education costs, maintenance costs, etc.
Once controls have been implemented, the process isn’t complete. Controls will need to be maintained and updated, new assets will need to be identified and assessed, and controls will need to be put in place to keep assets secure. Many tests can be given to keep the security up to date. Performing a periodic review based on the current organizational structure and assets, can be a good way to stay secure. Organizations can log records and record measurements based on activities and numerical data. Use this data to monitor and adapt the asset security priorities.
In conclusion, risk management is important for an organization’s success. The loss of data can lead to legal issues, financial issues, or other detrimental issues towards an organization. Keeping the C.I.A triad appropriately balanced for the environment is one of many steps to keeping assets secure. Risk can be handled by following through with identification, assessment, and application of controls. Maintenance and reviews are necessary to stay up to date with current day risks and staying secure.