The information resources protection has become more complex and challenging for organizations in a rapidly changing security threat setting. The adoption of cloud computing technologies by organizations, and the extensive use of internet services by customers for daily activities like bill payments, communication, banking, etc. are few examples illustrating the shifting technological scene in organizations. The shift towards these new technologies presents new risks to an organization’s information assets. Although, Information security standards like ISO27000 series suggests a diverse set of technical and process controls to protect an organization’s information assets, the standards acknowledges that the organization’s selection…show more content… According to NIST (2011), RiskManagement in is a comprehensive process involving four important components which are frame risks, assess risks, respond to identified risks and monitoring of risks. These four components ensure that risk management program is holistic, addressing risk ranging from strategic to tactical level, and also ensures integration of risk based decision making into all facets of an organization.
2.1 Frame Risks
Framing risks is the process of establishing a risk context that would help describe the environment that aids risk based decision making. Framing risks would help an organization develop a risk management strategy that holistically covers the approach it intends follow to assess and respond to threats. To establish a reliable and realistic risk frame, organizations needs identify the following
• Risk Assumption - Assumptions made about threats and vulnerabilities, and various other factors like consequence, likelihood of…show more content… • Determine the risk response effectiveness post implementation.
• Identify how risk impacts changes the organization’s information system and landscape in which the systems operate.
• Risk monitoring also requires organizations to describe how it plans to verify its compliance with various laws and regulations.
3. Importance for Risk Management to Business Leaders
Business Leaders and managers are tasked with the responsibility of ensuring due diligence is performed while making decisions for the organization. Having a formal risk management program as part of the organization’s information security program provides the leaders a proper process and diligence before making important information security related decisions. The risk analysis helps managers to decide whether to go ahead with a new security program or not, while the risk assessment would help determine if the types of controls to be that needs to be implemented (Peltier, 2010). The risk assessment also helps identify the countermeasures to mitigate the risks, or help decide if it’s best to accept the risk rather than mitigate