Introduction to Information Security and Risk Management
Risk management is a process of determining the vulnerabilities that are present in an organization’s information system. It is done by taking carefully planned out steps to assure confidentiality, availability and integrity of all the components inside the organization’s information system (Whitman & Mattord, 2003). Managing risks is not an easy task with limited resources and the changing landscape of threats and vulnerabilities in the system. This makes mitigating all the risks impossible that is why it is important that professionals must have the right tools to help them to be consistent in managing the uncertainties present in the organization (Elky, 2006, p. 1). The first thing that needs to be done is to rank the vulnerability worksheet before it can choose one of the following approaches in order to control the risks or uncertainties.
The first approach is defense and it attempts to prevent the exploitation of the vulnerability. This is the chosen approach is accomplished by countering the threats and removing the vulnerabilities in the assets. This is also called avoidance. The second approach is the transferal approach. This approach tries to shift the risk to other assets, processes or other organizations. When the organization itself does not have the security skills, it should consider hiring or outsourcing the arrangements with organizations that provide such expertise. This will allow the organization to transfer the risks to others without dealing with the risks themselves. The mitigation approach on the other hand, tries to reduce the impact caused by the vulnerability through planning and preparation. While acceptance is the approach of doing nothing to protect the information asset and to just accept the outcome of its potential exploitation. This is usually not a conscious approach. Lastly, termination which is similar with acceptance, is the approach in which is based on the organization’s need to leave a certain asset unprotected. When the organization does not want the vulnerability to be exploited, it removes the asset from the environment which represents higher risk (Whitman & Mattord, 2007).
References
Elky, S. (2006). An Introduction to Information System Risk Management. Retrieved from SANS Institute website: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204
Whitman, M. E., & Mattord, H. J. (2003). Risk Management: Assessing and Controlling Risk. In Principles of information security (4th ed.). Boston, MA: Thomson Course Technology.
Whitman, M. E., & Mattord, H. J. (2007). Principles of incident response and disaster recovery(2nd ed.). Boston, MA: Thomson Course Technology.