Open In App

Risk Management for Information Security | Set-1

Last Updated : 29 Sep, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Prerequisite – Threat Modelling 

A risk is nothing but intersection of assets, threats and vulnerability. 
 

A+T+V = R

NIST SP 800-30 Risk Management Guide for Information Technology Practitioners defines risk as a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. 

So the main components of Risk Assessment are: 
 

  • Threats
  • Vulnerability
  • Impact (i.e. potential loss)
  • Likelihood of occurrence (i.e. the probability that an event – threat successful exploit of a vulnerability – will occur)

Threats is anything that can exploit a vulnerability accidentally or intentionally and destroy or damage an asset. Asset can be anything people, property or information. Asset is what we are trying to protect and a threat is what we are trying to protect against. Vulnerability means gap or weakness in our protection efforts. 

Threat Source is a method to exploit a vulnerability or a situation either intentionally or unintentionally. For example a Malicious Software to which a virus or worm attaches to spread itself in the system and to others computer via email containing either virus as a attachment or as a link. If this email is shared by sender without knowing the malicious purpose of attachment or link then, this will be unintentional threat source otherwise it will be an intentional threat source. 

The complete process of handling Risk can be divided into following stages: 
 

  1. Context Establishment
  2. Risk Assessment 
    • Risk Identification
    • Risk Estimation
    • Risk Evaluation
  3. Risk Management/ Mitigation 
    • Risk Assumption
    • Risk Avoidance
    • Risk Limitation
    • Risk Planning
    • Research and Acknowledgement
    • Risk Transference
  4. Risk Communication
  5. Risk Monitoring and Review
  6. IT Evaluation and Assessment

1. Context Establishment – 
In this step information about the organization and basic criteria, purpose, scope and boundaries of risk management activities are obtained. In addition to this data, it is important to gather details about the organization in charge of risk management activities. 

Organization’s mission, values, structure, strategy, locations and cultural environment are studied to have a deep understanding of it’s scope and boundaries. 
The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps. 

The main role inside organization in charge of risk management activities can be seen as: 
 

  1. Senior Management
  2. Chief information officer (CIO)
  3. System and Information owners
  4. the business and functional managers
  5. the Information System Security Officer (ISSO) or Chief information security officer (CISO)
  6. IT Security Practitioners
  7. Security Awareness Trainers

Risk Management for Information Security | Set-2
 


Like Article
Suggest improvement
Previous
Approaches to Intrusion Detection and Prevention
Next
Risk Management for Information Security | Set-2
Share your thoughts in the comments

Similar Reads

Risk Management for Information Security | Set-2
Information Classification in Information Security
Information Assurance vs Information Security
Difference between Cyber Security and Information Security
Principle of Information System Security : Security System Development Life Cycle
Difference between Information Security and Network Security
Cybersecurity vs Network Security vs Information Security
Integrating Risk Management in SDLC | Set 1
Integrating Risk Management in SDLC | Set 2
Integrating Risk Management in SDLC | Set 3

R
rashi_garg
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox