Understand and Apply Risk Management Concepts
Information security activities are conducted within the context of risk. A common understanding of risk management principles, concepts, and approaches is essential when structuring an information security program.
Risk
The International Standards Organization Guide 73:2009, “Risk management – Vocabulary,” was developed to standardize the language, terms, and high-level concepts related to risk management. Risk, in the context of the ISO standards, “is the effect of uncertainty on objectives.” While the ISO definition is sufficiently broad to accept both negative and positive effects of uncertainty, other frameworks define the term differently.
Federal Information Processing Standard 200 defines risk as follows: “The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.” While the FIPS addresses risk within the context of information systems in the U.S. federal government, this definition is widely used and applicable to other organizations as well.
For the security professional, such ambiguities in language can be frustrating, particularly when relating an organization’s work practice to the CISSP CBK. The (ISC)2 definition of risk is as follows: “The possibility of damage or harm and the likelihood that damage or harm will be realized.”
Related Product : Certified Information System Security Professional | CISSP
Risk Management Frameworks
A number of frameworks have been developed to identify and evaluate risk. These frame- works have evolved to address the unique needs of different industries and processes.
Individually, these frameworks address assessment, control, monitoring, and audit of information systems in different ways, but all strive to provide internal controls to bring risk to an acceptable level. While there are several internationally accepted risk frame- works, a number of industry-specific frameworks have also been developed to meet specific needs.
Regardless of the framework, to effectively address risk in an organization, standard processes to evaluate the risks of operation of information systems must take into account the changing threat environment, the potential and actual vulnerabilities of systems, the likelihood that the risk will occur, and the consequence to the organization, should that risk become manifest.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
