Risk Management Program

Previous page
Table of content
Next page


The objective of IWC's risk management program is to Maximize Security and Minimize Cost Through Risk Management.

What Is Risk Management?

You may recall that the topic of risk management was discussed in Chapter 3. Because it is the baseline for all of the IWC ISSO's decisions relative to information and systems protection, the ISSO decided to formalize the function as an integral part of the CIAPP and the InfoSec organization.

The ISSO knew that for IWC employees, especially management, to understand the philosophy behind how InfoSec-related decisions were made, they should have some basic grasp of the risk management philosophy. Thus the ISSO directed that this topic be an integral part of the CIAPP and the CIAPP-EATP. The ISSO knew that in order to understand the risk management methodology, one must first understand what risk management means. The ISSO defined risk management as the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk assessments; risk analyses, including cost—benefit analyses; target selection; implementation and test; security evaluation of safeguards; and overall InfoSec review.

The ISSO established as an objective of the risk management process to provide the best protection of systems and the information they store, process, display, and/or transmit at least cost consistent with the value of the systems and the information.

Risk Management Process

Remember that the CIAPP is an IWC program made up of professionals who provide service and support to their company. Therefore, the risk management process must be based on the needs of IWC customers.

Also, the ISSO wanted to be sure that the risk management concepts, program, and processes are informally and formally used in all aspects of the InfoSec program, including when and how to do awareness briefings and the impact of information systems security policies and procedures on the employees.

The following steps should be considered in the ISSO's process:

  1. Management interest: Identify areas that are of major interest to executive management and customers; approach from a business point of view. So, the process should begin with interviews of your internal customers to determine what areas of InfoSec are adversely affecting their operations the most. Then, target those areas first as the starting point for the risk management program.

  2. Identify specific targets: Software applications, hardware, telecommunications, electronic media storage, etc.

  3. Input sources: Users, system administrators, auditors, security officers, technical journals, technical bulletins, CERT alerts (Internet), risk assessment application programs, etc.

  4. Identify potential threats: Internal and external, natural or manmade.

  5. Identify vulnerabilities: Through interviews, experience, history, testing.

  6. Identify risks: Match threats to vulnerabilities with existing counter-measures, verify, and validate.

  7. Assess risks: Acceptable or not acceptable, identify residual risk, then certify the process and gain approval. If the risks are not acceptable, then:

    • Identify countermeasures;

    • Identify each countermeasure's costs; and

    • Compare countermeasures, risks, and costs to mitigated risks.

Recommendations to Management

When the risk assessment is completed, the ISSO must make recommendations to management. Remember in making recommendations to think from a business point of view: cost, benefits, profits, public relations, etc.

Risk Management Reports

A briefing that includes a formal, written report is the vehicle to bring the risks to management's attention. The report should include identifying areas that need improvement; areas that are performing well; and recommended actions for improvement, including costs and benefits.

Remember that it is management's decision to either accept the risk or mitigate the risks, and how much to spend to do so. The ISSO is the specialist, the in-house consultant. It is management's responsibility to decide what to do. They may follow your recommendations, ignore them, or take some other action. In any case, the ISSO has provided the service and support required.

If the decision is made that no action will be taken, there is still a benefit to conducting the analyses. The ISSO now has a better understanding of the environment, as well as an understanding of some of the vulnerabilities. This information will still help in managing an InfoSec program. The IWC ISSO developed a risk management process to be used as an overall baseline for implantation as part of the risk management philosophy for IWC (Figure 8.8).

click to expand
Figure 8.8: An overall risk management process.



Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Competency-Based Human Resource Management
An Introduction to Design Patterns in C++ with Qt 4
Special Edition Using Crystal Reports 10
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy