1. Introduction In this section, you should briefly introduce the project background and related information. 1.1 Purpose This report aim to explain how is achieved risk control through strategies and through security management of information. 1.2 Objectives Will be described how information assets are evaluated as exposed to risk, and how risk is identified and evaluated. 1.3 Definitions, Acronyms, and Abbreviations "Risk management is the part of analysis phase that identifies vulnerabilities in an organisation`s information system and take carefully reasoned steps to assure the confidentiality, integrity, and availability of all components in the organisation`s information system" (Management of Information Security - second ed, Michael E. Whitman and Herbert J. Mattord) Risk is the potential loss resulting from the balance of threat, vulnerabilities, countermeasures, and value. Vulnerabilities are the weaknesses that allow the threat to exploit you. Countermeasures are the precautions you take. Value is the potential loss you can experience. Nuisance Value is the potential cost of dealing with a loss. Competitor Value is the value of an asset in the eyes of an adversary. Vulnerabilities are the weaknesses that allow the threat to exploit you. When there is a vulnerability for them to exploit, you then have risk. Countermeasures are the precautions that an organization takes to reduce risk. 2. Risk Management Information security is about managing the risk of using information. Risk management implies first risk identification second risk assessment and at end risk control. "Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure,... ... middle of paper ... ...an employee resigning, policies to limit user access, etc. " The goal of a security program is then to choose and implement cost effective Countermeasures that mitigate the Vulnerabilities that will potentially lead to loss." (Zen and the art of information security, page 54, Syngress) Minimization of risk implies that you want to remove as much risk, loss, as possible. And this can be achieved through optimization. Risk Optimization line on the graph is showing the point that is determined as the amount of loss likely to happened and is accepted and the cost of the countermeasures that will minimise the risk to that point. Calculate the budget required for those countermeasures. If management chooses not to fund a recommended countermeasure, acceptance must be conscious that the failure to introduce countermeasures will likely create a much larger amount loss.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Standards Managing and protecting each asset requires an organization to implement both internal and external controls that will assist in achieving the objective of efficient operations, compliance with applicable laws and regulations, and maintain the confidentiality, integrity and availability of its critical asset at any time in accordance with best practices of NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems, NIST SP 800-30 Guide to Conducting Risk Assessments, and SANS Institute Developing Security Policies for Protecting Corporate Assets. Procedure Conducting a Risk Assessment provides insight into the difference between a threat and vulnerabilities and helps to identify countermeasures to harden and protect an organization assets to ensure only an acceptable level of residual risk remains. A risk assessment must include an extensive review of roles and responsibilities (employees, contractors, and vendors) to determine the necessary access control for each position within the organization and classification of the type of data to which each is granted access.
Risk management is the process of identifying, giving priority, and assessing risks. Risk management decisions should focus on rational utilization of the available resources in order to control, minimize and monitor the impacts of risks. In designing security systems to prevent potential risks at the Maracana, the party involved should ensure that the available resources are fully utilized. These resources should be used to develop risk management systems that will ensure control, monitoring, and minimization of potential risks.
Hardware and software vulnerabilities, malware, viruses, improper logging, and patches all increase the attack vector of a company, often leaving it in a susceptible and vulnerable state. Commonly known weaknesses/vulnerabilities are preyed upon and are those that are typically checked first by an attacker. These unmanaged states leave the company exposed to various types of attacks which typically lead to intellectual property loss and even to an Advanced Persistent Threat (APT).
Technological advances continue to evolve at a continually increasing rate. Despite these improving increases in technology, the utilization of theoretical frameworks in risk management or information security may be deficient due to the inadequate substantiation of the theory. Furthermore, academic research to corroborate existing theories relevant to risk management or information security is underway, but current research may not be supportive of existing theories. According to Chuy et al. (2010), the roles of theories may not be fully understood and arguably used by others in the research process. In this article, a discussion will be presented on several theories regarding information security and risk management. Additionally, the selected theories will be compared to the implied use to information security and risk. In addition, a brief analysis of each theory will be conducted regarding whether abundant research exists on the specific theory that can be used by the academic community and others. Finally, a discussion will be offered on any challenges that may arise for each theory that does not have sufficient supportive research.
Information security refers to combination of strategies, processes, tools and practices which are designed and implemented to prevent sensitive information from unauthorized access, use, disclosure, disruption or modification. Information security plays a major role in management of information systems. Information systems consist of three components which are hardware, software and network. Information security is characterized by three tributes confidentiality, integrity and availability (Yliopisto, 2014) Confidentiality refers to preventing unauthorized access and disclosure of private and proprietary information.
A computer security risk is any action that could cause lost of information, software, data, processing incompatibilities,
In a company, a senior management needs to address management tasks and have an information security governance. The information security governance (ISG) is a way for a company to protect information in the information systems. According to Grama, the responsibility of the ISG falls on the executive management team to protect the information assets, (p. 373, 2011). The company will need to have its information security goals align with its business needs to help protect information. For example, a company needs to make a profit to stay in business and it should include goals to protect information from hackers. If a company gets a reputation of having security breaches, people would not want to do business with the company and they would lose profits. The CIA triad of confidentiality, integrity, and availability can be used by the ISG to meet the goals. Confidentiality is to protect information by allowing the correct people to have the permissions to access and use information. Integrity makes for the information is accurate and changes cannot be made to the information without the correct permission. Availability is making sure the information systems are always up and that information can be accessed. There are many tasks that senior management needs to address such as to make sure everyone understands the needs for the security of information to be governed. This can be done by informing the board and other senior management who may not be as familiar with information systems, how the threats and damage form the threats can disrupt operations and profits in the company. Another task for senior management to help with the development of the security framework by creating policies, standards, procedures, and guidelines. Thes...
According to the information security governance, success is often less, due to inability to value the the organisation 's information and data. This creates the discussion on the needs for security and the resources to be assigned to this.
Risk is the possibility of losing something valuable which creates uncertainty while making investment decisions. It is going to impact negatively in future. Risk management is that process of developing a system which identifies risks and manage them with different tools. Every risk should have contingency and mitigation plan. Risk management is applied when a company gets an uncertainty difficulty in financial market which threat project failures in design or production phase. The process of making a new product with the help of different raw materials and supplying them to customers is supply chain. Supply chain risk management can be viewed as a strategic management activity in firm. For example: the supply chain of Gap Inc. (Collier.D, & Evans.J, 2012, p.180) begins at the farm where they grow cotton as raw material and then transfer to textile mills where T-shirt and jeans are made. The factories cut and sew the fabric into finished goods, and send them to retail stores for sale.
Identify the potential risks which affect the company and manage these risks within its risk appetite;
Safety of information is the most valuable asset in any organization particular those who provide financial service to others. Threats can come from a variety of sources such as human threats, natural disasters and technical threats. By identifying the potential threats to the network, security measure can be taken to combat these threats, eliminate them or reduce the likelihood and impact if they should occur.
As has been discussed before, risk identification plays an important part in the risk such as unique, subjective, complex and uncertainly. There are no two identical leaves in the world; similar, there are no two exactly the same risk either. Hence the best risk manger could not identify risk completely. Besides, risk identification assessment is done by risk analysts. As the different level of risk management knowledge, practical experience and other aspects between individuals, the result of risk identification may be difference. Furthermore, the process of identifying risk is still risky. Once risks have been identified, corporations have to take actions on limiting risky actions to reduce the frequency and severity of risky. They have to think about any lost profit from limiting distribution of risky action. So reducing risk identification risk is one of assessments in the risk
Nowadays, the information is the most treasured asset in an organization, due to it along with the experience represents the input necessary to take appropriate decisions and consequently to have success in the business. Almost all the information and knowledge related with the processes business, goods and services offered by a company, is processed, managed and stored through technology and information systems, thus the security of information has become increasingly important and plays a critical role in the enterprise government.
Identification of the risk can simply be done by doing brainstorming with the team members. As Dr. McCarville said, there is no right or wrong answers. Every input is important and can really affect the process. Other beneficial tool is Fishbone Diagram.