Seven Steps to Managing Risk
|
| We are firm adherents to the principle that risk management has to be an ongoing cyclical process. You cannot expect to respond to the ever-changing landscape of threats and vulnerabilities by relying on an old risk assessment or a one-time shot at developing a risk assessment program. For your risk management program to succeed, you have to re-evaluate your data, systems, and counter measures regularly. One way to accomplish this is to conduct regular vulnerability assessment and threat analysis of your organization. The vulnerability assessment should be conducted many times a year, and IT vulnerability assessment should be conducted as often as possible. With open source vulnerability assessment tools such as nessus (www.nessus.org), there is no reason why an organization could not schedule weekly vulnerability scans on their IT resources, and with the wide range of qualified firms to choose from, a third party assessment should be conducted on at least a quarterly basis for the entire organization. Why so often? Things change, and with IT, they change often and fast. With every new patch, piece of software, computer, or user, something has changed. The key element here is that your organization changes all the time, and you have to keep up with that dynamic element of life. One suggestion we make to all our customers is to always run a vulnerability scanner against any system that has changes made to it. Such is the case of installing a new patch or granting/removing a user's access. The following sections discuss seven phases of implementing a strong risk management program. The phases are
|
|
