Page 47 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 47

Unit 4: Risk Analysis




          4.1 Risk                                                                              Notes

          Risk is virtually anything that threatens or limits the ability of an organization to achieve its
          mission. Risk Management should be a set of continuous and developing  processes that  are
          applied throughout an organization’s strategy and should methodically address all the risks
          surrounding past, present and future activities.
          The information security risks confronting an organization will vary  with the nature of the
          processing performed by the organization and the sensitivity of the information processed. An
          understanding of risk and the application of risk assessment methodology is essential to being
          able to efficiently and effectively create a secure computing environment.
          Unfortunately, this is still a challenging area for information professionals due to the rate of
          change in technology, the relatively recent advent and explosive growth of the Internet, and
          perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on
          investment is simply too hard to do.
          This has kept information systems and information systems security in the undesirable position
          of being unable to systematically identify and monetarily quantify security risks. This in turn
          has led to inconsistent and inappropriate applications of security  solutions as well as  either
          excessive or insufficient funding for such activities.



             Did u know? Risk Management is primarily concerned with reducing the potential of any
             internal or external events to detrimentally affect a business.

          Self Assessment

          Fill in the blanks:
          1.   ....................... is virtually anything that threatens or limits the ability of an organization to
               achieve its mission.
          2.   An understanding of risk and the application of risk assessment methodology is essential
               to being able to efficiently and effectively create a ....................... computing environment.

          4.2 Risk Management

          Risk management is a process to identify and then manage threats which could severely impact
          or bring down the organization. As per the CISA Review Manual 2006 the definition of risk
          management – it  is the process of  identifying vulnerabilities  and threats to the information
          resources  used by  an  organization  in achieving  business  objectives,  and  deciding  what
          countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the
          information resource to the organization. Successful risk management needs the involvement
          of all levels of employers of an organization.
          There are two main areas of focus for risk management, each with its own set of objectives.

          4.2.1 Internal  Factors


          1.   To reassure management that the business is aware of, and in control of, current and future
               business risks.
          2.   To safeguard business assets and reputation.





                                           LOVELY PROFESSIONAL UNIVERSITY                                   41
   42   43   44   45   46   47   48   49   50   51   52