Information Security Risk Management, in simple terms, is an ongoing process through which risks related to the use of information technology are first identified and then addressed. To achieve this goal certain steps come into play starting with identifying the risks, then assessing them, followed by treating them depending on each organization’s resources. Treating security risks based on the organizations policy is the final objective of this process.
Stages of Risk Management
- 1) Identification
- 2) Analysis
- 3) Curing
- 4) Notification
- 5) Continuous Monitoring
One of the first things to identify is what’s most precious to the organization. There are resources, information and even systems that are considered “pearls” of every organization. Their availability, integrity and confidentiality should always be safeguarded. Certain parameters always need to be kept confidential, for example, identification data, social security numbers etc. Any breach to such data can result in a significant amount of harm to both the individuals and the organization.
What’s equally important is the integrity of the data that the company possesses. Even a tiny mishap of the data’s integrity, for example in financial reporting, can be catastrophic. Not to forget about the availability of data in cases where the company offers services to the masses, for example, online shopping where if data is not available when it should be then the company could bear losses in terms of its customers.
In order to protect important facets related to sensitive data, it is important to first identify exactly where the weak spots lie. There could be software vulnerabilities that jeopardize data or organizational processes that could become an Achilles heel. Such in-depth identification is essential to understand the specific steps that must be taken to deal with the risks involved.
Once the risks are clearly identified, safety measures should be designed. Ongoing checks should be performed periodically to ensure the safety protocols control the risks, eliminate them altogether, or reduce the chances of their impact.
The sum of the three pointers listed above (precious resources, risks and safety plugs) will help chart out a model to ensure efficient risk management for the organization. There are several formulas aimed at putting these factors together. Below are a few industry-standard Risk Measurement formulas for your reference:
- 1) Risk = Threats x Vulnerabilities x Impact
- 2) Criticality = Probability × Severity
- 3) Risk = Criticality (Likelihood × Vulnerability Scores [CVSS]) × Impact
- a. Derives more effective and accurate criticality as well as a risk rating for software security vulnerabilities
This includes various approaches like remediating the risk fully, reducing the risk without completely mending the issue, shifting the risk to another corporation, avoiding the threat fully and accepting the risk without taking steps to eliminate it (if efforts to do so outweigh the aftermaths of the risk itself).
Internal communications in each organization need to describe how the risk is being tackled, who is assigned the tackling task, the costs involved, and who is responsible.
This process is ongoing and requires meticulous attention as the remediation used in fixing or averting the risks can break or disintegrate over time endangering data.
I hope this provides some information and insight, stay tuned for more.