I have been hired by AEN (Abdulaziz Essam Nassruldin) company as a Chief Information Officer (CIO) to manage its IT Department . The company’s CEO requested me to prepare a report pointing out potential security vulnerabilities at the AEN company.
For that I started with risk assessment exercise which will identify the relations between company assets, threats and vulnerabilities that may lead to the loss of confidentiality, integrity, availability, authenticity, or accountability. The output of the risk assessment will determine the actions for managing security risks and for implementing the appropriate controls needed to protect the company assets. The risk assessment process consists ...view middle of the document...
Assess the risks in the business
• Inventory the processes, technology and other business assets
• Determine the risk profile
• Assess the inherent risk for each process
2. Implement controls to mitigate those risks
• Inventory the existing controls
• Determine if the controls adequately address the risk or if modifications or additional controls are necessary
• Assess the residual risk of each process based on these controls
3. Monitor the performance of those controls
• Implement periodic testing and reporting to identify deficiencies in controls
4. Respond to instances where the controls are deficient
• Implement procedures to limit losses caused by control failures
• Create a process of continuous improvement that adjusts controls based on changes to the risk environment
It's that simple - and it is important to keep that in mind. Operational Risk is a very complex discipline. Just understanding the technology used in information security or planning for a critical business emergency are daunting challenges. Add on to that the applicable laws and regulations, the threats, policies, standards and guidelines, the ever changing business environment, etc. and you have a job that can frequently be overwhelming. But no matter what issue confronts you, it will fit within and be addressed by the process above. Just follow the steps discussed on the following pages.
CIA Risks Controls Primary Focus
Confidentiality Loss of privacy. Unauthorized access to information. Identity Theft Encryption, Authentication, Access controls Information Security
Integrity Information is no longer reliable or accurate. Fraud Maker/Checker, Quality Assurance, Audit Logs Operational...