After studying this chapter you will be able to understand: Information security departments are created primarily to manage IT risk; managing risk is one of the key responsibilities of every manager within the organization; in any well-developed risk management program, two formal processes are at work; Risk identification and assessment, risk control. | Lecture 31 Risk Management Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities of every manager within the organization In any well-developed risk management program, two formal processes are at work Risk identification and assessment Risk control Risk Management “If you know the enemy and know yourself, you need not fear the result of a hundred battles If you know yourself but not the enemy, for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself, you will succumb in every battle” -- Sun Tzu Knowing Yourself Identifying, examining and understanding the information and how it is processed, stored, and transmitted Armed with this knowledge, one can initiate an in-depth risk management program Risk management is a process Safeguards and controls that are devised and implemented are not install-and-forget devices Knowing the Enemy Identifying, examining, and understanding the threats facing the organization’s information assets Must fully identify those threats that pose risks to the organization and the security of its information assets Risk management The process of assessing the risks to an organization’s information and determining how those risks can be controlled or mitigated Accountability for Risk Management Communities of interest must work together Evaluating the risk controls Determining which control options are cost-effective Acquiring or installing the appropriate controls Overseeing processes to ensure that the controls remain effective Identifying risks Assessing risks Summarizing the findings Risk Identification Risk Identification (cont’d.) Risk identification begins with the process of self-examination Managers identify the organization’s information assets Classify them into useful groups Prioritize them by their overall importance Creating an Inventory of Information Assets Identify information . | Lecture 31 Risk Management Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities of every manager within the organization In any well-developed risk management program, two formal processes are at work Risk identification and assessment Risk control Risk Management “If you know the enemy and know yourself, you need not fear the result of a hundred battles If you know yourself but not the enemy, for every victory gained you will also suffer a defeat If you know neither the enemy nor yourself, you will succumb in every battle” -- Sun Tzu Knowing Yourself Identifying, examining and understanding the information and how it is processed, stored, and transmitted Armed with this knowledge, one can initiate an in-depth risk management program Risk management is a process Safeguards and controls that are devised and implemented are not install-and-forget devices Knowing the Enemy Identifying, .
