Abu Dhabi Men’s College
Information Systems Security and Forensics
Individual Case Study
Risk Management and its role in an organization 3
Risk management process 4
Information Security Risk Identification 4
Risk identification techniques 4
Information Security Risk Assessment: 5
Information security risk mitigation: 5
Information Security Risk Transfer: 5
Information security Risk Acceptance: 5
Information Security Risk Monitoring 6
3. Conclusion 6
Risk management is, essentially, defined as the identification, analysis, acceptance and mitigation of uncertainty . The management of risks occurs any time a security manager analyses and identifies a potential threat to the security of information systems in the organization. Information systems security management is a vital component of any organization that utilizes information systems for its daily operations. Security risk management ensures that normal operations in an organization, are not disrupted. The operations in the organization are geographically distributed across different locations thus increasing the chances of information security risks. It is, therefore, a fundamental consideration to have a well-defined risk management framework for the organization.
This report provides a description of information system security management and how it can be effectively implemented in the organization. It describes the processes of risk identification, risk assessment, acceptance and mitigation of risks in the organization. It is crucial to note that risk management process happens in any organization, but for the process to be successful, the geographical dispersion of the organization must be heavily factored in the process. Additionally, the process must be carried out in two simple steps; first determine the potential risks to the information systems in the organization and then identifying the most appropriate ways of addressing the risks identified.
Risk Management and its role in an organization
According to information security risk management is the process of identifying and evaluating risks to information security and collecting information on the risk. This is then followed by implementation of mitigation strategies that are aimed at reducing the risk to an acceptable level. The Risk can also be transferred to another party or,substantially, accept the risk. The organization must follow the process to ensure proper risk management.
Risk management ensures continuity of activities and procedures in an organization. It essentially minimizes the impacts of a risk to the organization. The organization’s ability to manage uncertainties increases their confidence in handling future business decisions. It increases their knowledge and experience of handling potential risks to organizations in the future.
Most importantly, risk management ensures that the organization defines its objectives clearly and helps the company to maintain track and achieve its set goals and objectives.
Risk management process
The following processes must be followed to, effectively, manage information security risks in the organization;
Information Security Risk Identification: this is a key component in a framework to risk management. The organization must identify the significant risks that might impede achievement of its goals and objectives. This includes all sources, controls and components associated with the risk in all its geographical locations. It is necessary to ensure that the organization is aware of its risks at all times, the risks should be well documented and easily communicated in an effective way. The organization should most importantly focus on the internal and external root causes of risks its effects and the outcomes .
Risk identification techniques
Several techniques are used for identification of risks and the subsequent prioritization of risk factors. The substantial risk identification techniques include brainstorming, interviews, and surveys, establishing work groups, experiential knowledge and documented knowledge. Other advanced techniques include the Delphi technique, checklists, forms and templates, nominal group technique and the use of Crawford slip.
Information Security Risk Assessment: After risks have been identified, it is crucial to assess the risks and determine their potential impacts to the organization. Risk assessment gives the basis for prioritization and the selection of appropriate remediation. All geographical locations of the organizations must be capacitated to carry out assessment of identified risks. This greatly aid in identifying the suitable measures to adopt. Risk assessment enables the organization to determine which risks addressing first and how to address them. This process is not possible without proper identification of the inherent risks in the organization .
An example of the major risk to the organization is the information security risks. This can be as a result of unauthorised access or loss of confidential data and information. This risk is identified, and the effects can be detrimental to the organization in case of its occurrence. In trying to assess the effects of this risk, some of the effects include distraction of activities in the organization, damage to organization reputation, and reduction of efficiency. It may also result in loss of revenue to the organization. The most common effect would be the loss of competitive edge in the scope of the organizational operation.
Information security risk mitigation: after risks are assessed and evaluated, the risk reducing and mitigation measures are prioritized, evaluated and implemented. The mitigation measures will vary based on the nature of risk. It is impossible to eliminate all the risks, therefore, the organization must strike a balance of the effectiveness and the cost associated with the preferred mitigation measure. All outlets in the organization must have appropriate measures including controls. They must also maintain documentation of all the mitigation measures .
Information Security Risk Transfer: risks can be transferred to another party commonly an insurance agency. It is possible to transfer risks if the receiving end has the capability to handle the risk and is legally compliant to handle the risk .
Information security Risk Acceptance: sometimes potential mitigation measures may not be available for a given risk or not cost-effective. In such circumstances risk, acceptance is the available option. The organisation must accurately and consistently document the accepted risks in the organization. They must be periodically reviewed and approved by appropriate personnel .
Information Security Risk Monitoring: occasionally, a risk may be identified but with insufficient information of its occurrence and potential impact. Such risks must be constantly monitored, and a framework should be established to gather sufficient information to determine whether the risk should be mitigated, transferred or accepted .
In conclusion, it is evident that information security risks are a serious impediment to the organizational goals and objectives. They must, therefore, be handled professionally. The process for managing risks is not only a fundamental requirement in the organization but a key tool to achieving the organization goals and objectives. Therefore, the organization must have this as one of its key areas that must be focused on and must be considered in budgetary allocations.
Logically, the effective approach to information security risk management is effective communication throughout the organization. This must be further be supported by ownership of the risks and responsibility for risk management. Therefore, the organization should set out a clear organization policy for risk management that is aligned to its business objectives.
Alberts, C. J., &Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. . Addison-Wesley Longman Publishing Co., Inc..
Stoneburner, G., Goguen, A., &Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 31-35.