Information systems have permeated every aspect of today’s society. Information systems allow organizations and people to carry out everyday activities in a much more efficient way. However, due to the increased dependence on information systems, it has become imperative that methodologies and practices are developed to safeguard the data that is stored and used by information systems, as well as the protection of the hardware that runs the information system. Therefore, a proper understanding of risk management and all that it entails is of the utmost importance for every IT professional, regardless of specialization. The purpose of ...view middle of the document...
Planning and organization of the risk management process
Planning and organization of a risk management process involves putting together a risk management team and putting together a written plan and task list. During the risk management process there will have to be reports and deliverables presented to organizational management. This requires constant documentation to provide a clear sense of direction the team can follow during the entire process.
System Components Categorization
This step is quite simple in that it simply identifies, categorizes, and documents the assets of an information system such as: the employees, hardware, software, data, and procedures. The point of this process is to gain an in depth knowledge and understanding of the areas that need to be protected. This step is also important as it allows the team to prioritize which areas are most important.
Inventory and categorize assets
Once the components of an organization have been categorized, the next step is to inventory and categorize assets using either automated asset inventory tools, database tool, or even simple spreadsheets (Michael E. Whitman, Herbert J. Mattord, 2012, p. 125.). This step is complex and requires team members to have strong analytical skills, as well as in depth knowledge and experience with the company. This phase is important as it details assets with respect to their impact on organizational success.
Classification and prioritization of assets
Classification and prioritization of assets is a key step in the risk identification process as it allows the team to identify which assets are the most important and thus the most important to protect. This is a somewhat straightforward step, but its implementation demands time and research by the team. Interviews with all departments of an organization are vital during this step. Collaboration among all team members is vital so as not to miss anything. This is a very important step in the risk identification process
Identification and prioritization of threats
This is the step in the process when all threats are considered as well as the chance of these threats taking place. There are many different types of threats including: espionage, forces of nature, human error, software attacks, hardware failure, and software failure. These are just a few of the more common attacks that take place. The team must research and figure out which attacks are most likely to occur. While every organization and situation is different, studies have been done that have shown the types of information systems attacks that are likely to occur based on actual attacks. According to an article by Whitman, malware infection and hardware theft have been the leading threats every year going all the way back to 2000 (Whitman, 2009, p. 91-95). This step is vital as it begins the process of threat identification that is vital to the security of any organization. After all, one...