What Are the Three Primary Aspects of Information Security Risk Management & Why Is Each Important?

Organizations try to manage the security risk posed by widespread access to information.
Organizations try to manage the security risk posed by widespread access to information. (Image: Ryan McVay/Photodisc/Getty Images)

Information security risk management involves assessing possible risk and taking steps to mitigate it, as well as monitoring the result. Every assessment includes defining the nature of the risk and determining how it threatens information system security. This leads directly to risk mitigation such as upgrading systems to minimize the likelihood of the assessed risk. Finally, risk management includes monitoring the system on an ongoing basis to see if the risk mitigation interventions produced the desired results.

IT Self Defense Basics

An organization must ensure that it has the capabilities to accomplish its mission. It must identify risks that threaten those capabilities, and evaluate protective measures, keeping in mind the economic and other costs of those measures. One risk that most modern organizations face is compromised information security. An organization must identify where compromised information security would affect its capabilities to accomplish its mission and take appropriate corrective measures within its established budgetary framework.

Risk Assessment

When an organization determines that weaknesses in information security pose a risk to its capabilities, it must thoroughly examine its IT systems, operations, procedures and external interactions to find out where the risks lie. This means identifying possible threats, vulnerabilities to those threats, possible countermeasures, impact and likelihood. Risks can be classified as to severity depending on impact and likelihood. The importance of assessment is that it allows the identification of high risks that must be mitigated.

Risk Mitigation

Mitigation means reducing or eliminating the risks identified by the assessment. Strategies for dealing with the risk include accepting the risk, adopting measures which will lower the risk, avoiding the risk by eliminating the cause, limiting the risk by putting controls in place, or transferring the risk to a supplier, customer or insurance company. Which strategy is appropriate is determined by the extent to which the risk impairs the ability of the organization to fulfill its mission, and the cost of implementing the strategy. Structured mitigation is important as a framework for risk management.

Evaluation and Monitoring

Once assessment and mitigation have been completed, the organizational unit must evaluate the immediate result and monitor the system on an ongoing basis. This process starts with an evaluation of the effects of the assessment and mitigation, including the setting of benchmarks for progress. It continues with the evaluation of the effect of changes and additions to information systems. Finally, it performs continuous monitoring of information security performance, with the aim of identifying areas which may have to be assessed for additional risk. Evaluation and monitoring are important for determining how successfully the organizational unit has managed its information security risk.

Related Searches


Promoted By Zergnet


You May Also Like

Related Searches

Check It Out

Are You Really Getting A Deal From Discount Stores?

Is DIY in your DNA? Become part of our maker community.
Submit Your Work!