The goal of risk management is to identify the potential problems before they emerge. Usually, they occur unconditionally. It helps the IT managers to balance the CAPEX/OPEX costs in the organization and also take protective measures and gains much control power. Risk management comprises of three processes: , , and . Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control, and monitoring of implemented measurements and the enforced security policy. provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. Risk assessment Risk Mitigation Risk evaluation Risk IT Risk=((Vulnerability*Threat)/CounterMeasure) The standard risk assessment methodologies form part of a risk management and assessment process depicted below in the figure which enables an organization to effectively identify, assess, and treat risks. The risk is the product of likelihood times impact (Risk = Likelihood * Impact) The measure of an IT risk can be determined as a product of threat, vulnerability, and asset values: A study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. Managers use the results of a risk assessment to develop security requirements and specifications. To determine expected loss and establish acceptability to system operations. Identification of a specific ADP facility’s assets, the threats to these assets, and the ADP facility’s vulnerability to those threats. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level. A management tool that provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risks, and documenting management decisions. The Code of practice for information security management recommends the following examined during a : ISO/IEC 27002:2005 risk assessment To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities, and the controls in place for the IT system. Impact refers to the magnitude of harm a threat’s exercise of vulnerability could cause that. The level of impacts is governed by the potential mission impacts and in return produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data). The risk assessment method encompasses nine primary steps, which are described in the given below sections. It derives this functional model from the as a reference. NIST SP 800–30 framework System characterization: Characterizing an IT system establishes the scope of the risk assessment effort. The system-related information used to characterize an IT system and its operational environment. The information-gathering techniques that can solicit information relevant to the IT system processing environment. The method described in this document can apply to assessments of single or multiple, interrelated systems. Information Assets of the IT system: Identifying risk for an IT system requires a keen understanding of the system’s processing environment. The person or persons who conduct the risk assessment must therefore first collect system-related information, which is usually classified as follows: For a system that is in the initiation or design phase, we can derive system information from the design or requirements document. For an under development, it is necessary to define key security rules and attributes planned for the future IT system. Therefore, the system description based on the security provided by the underlying infrastructure or on future security plans for the IT system. IT system — — — — — — — — — — — — — — — — — — — — — — — THE END Quote of the day: “Don’t count your chickens before they’re hatched” don’t be too confident in anticipating success or good fortune before it is certain. Meaning: Thanks for reading! Have a pleasant day! Also published at https://medium.com/faun/risk-assessment-management-framework-and-its-structure-2914252ad6f0

What Is Risk Management And How To Integrate It Into SDLC: Best Explanation Ever

How To Make an Internal Employee Survey on Endpoint Security

Nominated for 2022 - HackerNoon Contributor of the Year - Internet

Too Long; Didn't Read

Make resilience your competitive advantage

Guide to Risk Assessment Management and ISO/IEC 27002/27005

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

5 Simple Ways To Get Rid Of High CPU Usage Troubles on Windows

105 Stories To Learn About K8s

10 Ways to Future-Proof Your Business With Cloud

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Upcoming DevOps Conferences for 2018

5 Simple Ways To Get Rid Of High CPU Usage Troubles on Windows

105 Stories To Learn About K8s

10 Ways to Future-Proof Your Business With Cloud

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Upcoming DevOps Conferences for 2018

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps