Documente Academic
Documente Profesional
Documente Cultură
And
Risk Management
Abstract
Risk assessment is a structured and systematic procedure, which is dependent upon the
correct identification of hazards and an appropriate assessment of risks arising from them, with a
view to making inter-risk comparisons for purposes of their control and avoidance. There are
differences in the methodology used to conduct risk assessments.
In that way, the risk assessment process in the safety analysis of an IT system is carried
out by an original method from the occupational health area.
Outline
I. Introduction
Purpose
Goals
Problems
Scope and Limitations
II. Methodology
III. Discussion of Risk Assessment
Tables and Figures
Question and Answers
IV. CONCLUSION
References
Appendixes
Introduction
Every organization has a mission. In this digital era, as organizations use automated
information technology (IT) systems to process their information for better support of their
missions, risk management plays a critical role in protecting an organization’s information
assets, and therefore its mission, from IT-related risk.
CHAPTER 1
1.1 Purpose
Risk is the net negative impact of the exercise of vulnerability, considering both the
probability and the impact of occurrence. Risk management is the process of identifying risk,
assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a
foundation for the development of an effective risk management program, containing both the
definitions and the practical guidance necessary for assessing and mitigating risks identified
within IT systems. The ultimate goal is to help organizations to better manage IT-related mission
risks.
1.2 Goals
The goals of this project is to enable the organization to accomplish its mission(s)
(1) by better securing the IT systems that store, process, or transmit organizational information;
(2) by enabling management to make well-informed risk management decisions to justify the
expenditures that are part of an IT budget; and
(3) by assisting management in authorizing (or accrediting) the IT systems on the basis of the
supporting documentation resulting from the performance of risk management.
1.3 Problems
Risk management is nothing new. There are many tools and techniques available for
managing organizational risks. There are even a number of tools and techniques that focus on
managing risks to information systems. This paper explores the issue of risk management with
respect to information systems and seeks to answer the following questions:
Risk management encompasses three processes: risk assessment, risk mitigation, and
evaluation and assessment. The DAA or system authorizing official is responsible for
determining whether the remaining risk is at an acceptable level or whether additional security
controls should be implemented to further reduce or eliminate the residual risk before
authorizing (or accrediting) the IT system for operation.
Risk management is the process that allows IT managers to balance the operational and
economic costs of protective measures and achieve gains in mission capability by protecting the
IT systems and data that support their organizations’ missions. This process is not unique to the
IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case
of home security, for example. Many people decide to have home security systems installed and
pay a monthly fee to a service provider to have these systems monitored for the better protection
of their property. Presumably, the homeowners have weighed the cost of system installation and
monitoring against the value of their household goods and their family’s safety, a fundamental
“mission” need.
The head of an organizational unit must ensure that the organization has the capabilities
needed to accomplish its mission. These mission owners must determine the security capabilities
that their IT systems must have to provide the desired level of mission support in the face of real
world threats. Most organizations have tight budgets for IT security; therefore, IT security
spending must be reviewed as thoroughly as other management decisions. A well-structured risk
management methodology, when used effectively, can help management identify appropriate
controls for providing the mission-essential security capabilities.
CHAPTER 3
In conclusion, successful and effective risk management is the basis of successful and
effective IT security. Due to the reality of limited resources and nearly unlimited threats, a
reasonable decision must be made concerning the allocation of resources to protect systems. Risk
management practices allow the organization to protect information and business process
commensurate with their value. To ensure the maximum value of risk management, it must be
consistent and repeatable, while focusing on measurable reductions in risk. Establishing and
utilizing an effective, high quality risk management process and basing the information security
activities of the organization on this process will lead to an effective information security
program in the organization.
References
Bozic, V., Kosic, S., & Nikolic, B. (2014). Regulation for risk assessment procedure in the work place and
in the workspace – comments. VTS, Novi Sad.
BSI Standard 100-1. (2011). Information Security Management Systems (ISMS). Retrieved May 2008,
from www.bsi.bund.de
Assmuth Timo, Hildén Mikael(2011) The significance of information frameworks in integrated risk
assessment and management.
Risk Management. (2013). Implementation principles and Inventories for Risk Management/Risk
Assessment methods and tools.
Ruzic-Dimitrijevic, L., & Nikolic, B., (2012). Designing and building an information system for a higher
education institution.
Chapman, C.B. and Ward, S.C., 2014. Project risk management: Process, techniques and insights. 2nd
Edition. Chichester: John Wiley and Sons
Chege, L. and Rwelamil, P., 2013. Risk management and procurement systems – an imperative
approach.
Cooper, D., Grey, S., Raymond, G., and Walker, P., 2013. Project Risk Management Guidelines:
Managing Risk in Large Projects and Complex Procurements. Chichester: John Wiley & Sons, Ltd
Edwards, L., 2012. Practical risk management in the construction industry. London: Thomas Telford
Publications
Elkingtin P. and Sallman C., 2011. Managing project risks: a case study form the utilities sector.
International Journal of Project Management. Vol. 20, No. 1, pp. 49-57
Appendix I: Acronyms
IT - Information technology
SDLC - System Development Life Cycle
DAA - Designated Approving Authority
POAM - Plan of Action & Milestones
IT-Related Risk - The net mission impact considering (1) the probability that a particular threat-
source will exercise (accidentally trigger or intentionally exploit) particular information system
vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal
liability or mission loss due to—
1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
2. Unintentional errors and omissions
3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and operation of the IT
system.
Risk Assessment -The process of identifying the risks to system security and determining the
probability of occurrence, the resulting impact, and additional safeguards that would mitigate this
impact. Part of Risk Management and synonymous with Risk Analysis.
Risk Management - The total process of identifying, controlling, and mitigating information
system–related risks. It includes risk assessment; cost-benefit analysis; and the selection,
implementation, test, and security evaluation of safeguards. This overall system security review
considers both effectiveness and efficiency, including impact on the mission and constraints due
to policy, regulations, and laws.
Security - Information system security is a system characteristic and a set of mechanisms that
span the system both logically and physically.
Security Goals - The five security goals are integrity, availability, confidentiality,
accountability, and assurance.