Founder of gtmars.com & plan2trip.com. Sharing knowledge in the digital world about Cybersecurity
The goal of risk management is to identify the potential problems before they emerge. Usually, they occur unconditionally. It helps the IT managers to balance the CAPEX/OPEX costs in the organization and also take protective measures and gains much control power.
Risk management comprises of three processes: Risk assessment, Risk Mitigation, and Risk evaluation. Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control, and monitoring of implemented measurements and the enforced security policy. Risk IT provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues.
The standard risk assessment methodologies form part of a risk management and assessment process depicted below in the figure which enables an organization to effectively identify, assess, and treat risks.
The risk is the product of likelihood times impact
(Risk = Likelihood * Impact)
The measure of an IT risk can be determined as a product of threat, vulnerability, and asset values:
To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities, and the controls in place for the IT system. Impact refers to the magnitude of harm a threat’s exercise of vulnerability could cause that.
The level of impacts is governed by the potential mission impacts and in return produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data).
The risk assessment method encompasses nine primary steps, which are described in the given below sections. It derives this functional model from the NIST SP 800–30 framework as a reference.
Characterizing an IT system establishes the scope of the risk assessment effort.
The system-related information used to characterize an IT system and its operational environment.
The information-gathering techniques that can solicit information relevant to the IT system processing environment. The method described in this document can apply to assessments of single or multiple, interrelated systems.
Information Assets of the IT system:
Identifying risk for an IT system requires a keen understanding of the system’s processing environment. The person or persons who conduct the risk assessment must therefore first collect system-related information, which is usually classified as follows:
For a system that is in the initiation or design phase, we can derive system information from the design or requirements document. For an IT system under development, it is necessary to define key security rules and attributes planned for the future IT system. Therefore, the system description based on the security provided by the underlying infrastructure or on future security plans for the IT system.
— — — — — — — — — — — THE END — — — — — — — — — — — —
Quote of the day:
“Don’t count your chickens before they’re hatched”
Meaning: don’t be too confident in anticipating success or good fortune before it is certain.
Thanks for reading!
Have a pleasant day!
Create your free account to unlock your custom reading experience.