1. What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?
Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the ...view middle of the document...
This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.
3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
Each community of interest has a role to play in managing the risks that an organization encounters. Because the members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk. Management and users, when properly trained and kept aware of the threats the organization faces, play a part in the early detection and response process. Management must also ensure that sufficient resources (money and personnel) are allocated to the information security and information technology groups to meet the security needs of the organization. Users work with the systems and the data and are therefore well positioned to understand the value these information assets offer the organization and which assets among the many in use are the most valuable. The information technology community of interest must build secure systems and operate them safely. For example, IT operations ensure good backups to control the risk from hard drive failures. The IT community can provide both valuation and threat perspectives to management during the risk management process. All of the communities of interest must work together to address all levels of risk, which range from disasters that can devastate the whole organization to the smallest employee mistakes.
4. In risk management strategies, why must periodic review be a part of the process?
It is essential that all three communities of interest conduct periodic management reviews. The first focus of management review is asset inventory. On a regular basis, management must verify the completeness and accuracy of the asset inventory. In addition, organizations must review and verify the threats to and vulnerabilities in the asset inventory, as well as the current controls and mitigation strategies. They must also review the cost effectiveness of each control and revisit the decisions on deployment of controls. Furthermore, managers at all levels must regularly verify the ongoing effectiveness of every control deployed. For example, a sales manager might assess control procedures by walking through the office before the workday starts, picking up all the papers from every desk in the sales department. When the workers show up, the manager could inform them that a fire had been simulated and all of their papers destroyed, and that each worker must now follow the disaster recovery procedures to assess the...