While the last few years have brought about many great advances in IT and network technology security and risk management have a critical point. There is a host of new concerns the IT security manager must be concerned with, including social networking, mobile, cloud, and information sharing. This has unleashed a new wave of change and potential risk.
Risk management is required to deal with these emerging technologies and should provide the rationale for all information security activities within the organization. You can think of risk management as the process of ensuring that the impact of threats and exploited vulnerabilities is within acceptable limits at an acceptable cost. Risk management requires the use of countermeasures. Countermeasures can include any process that serves to reduce threats or vulnerabilities.
While it may be nice to think that this process must only be done once that is not the case. Risk management should be a continuous process that is repeated when there are changes to the environment or on a periodic basis. Risk management requires:
- Identifying and recording assets
- Understanding the nature and extent of risk exposures
- Determining the likelihood of threats
- Identifying the value of the critical information or asset
- Determining how to deal with the risk
There are several frameworks commonly used to carry out this process. They include: FAIR (Factor Analysis of Information Risk), RFA (Risk Factor Analysis), PRA (Probabilistic Risk Assessment), and NIST 800-115 Risk Assessment Methodology. As an example, NIST 800-115 defines nine steps in their risk assessment process. Once the risk has been indentified there are several ways to deal with it, including acceptance, transference, or mitigation. Simply, it means that the organization believes the benefits outweigh the potential loss. To transfer the risk management, some may buy insurance or outsource the activity to a third party. To mitigate the risk might mean that it is reduced in some way. For example, using a firewall, increasing password complexity, or even moving to two-factor authentication.
What’s important to remember about risk management is that the process is never done, in the sense it must be periodically repeated and that there is always some remaining risk. That residual risk is what remains after the controls and countermeasures are deployed.