The goal of risk management is to identify the potential problems before they emerge. Usually, they occur unconditionally. It helps the IT managers to balance the CAPEX/OPEX costs in the organization and also take protective measures and gains much control power. Risk management comprises of three processes: , , and . Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control, and monitoring of implemented measurements and the enforced security policy. provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. Risk assessment Risk Mitigation Risk evaluation Risk IT Risk=((Vulnerability*Threat)/CounterMeasure) The standard risk assessment methodologies form part of a risk management and assessment process depicted below in the figure which enables an organization to effectively identify, assess, and treat risks. The risk is the product of likelihood times impact (Risk = Likelihood * Impact) The measure of an IT risk can be determined as a product of threat, vulnerability, and asset values: A study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. Managers use the results of a risk assessment to develop security requirements and specifications. To determine expected loss and establish acceptability to system operations. Identification of a specific ADP facility’s assets, the threats to these assets, and the ADP facility’s vulnerability to those threats. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level. A management tool that provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risks, and documenting management decisions. The Code of practice for information security management recommends the following examined during a : ISO/IEC 27002:2005 risk assessment To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities, and the controls in place for the IT system. Impact refers to the magnitude of harm a threat’s exercise of vulnerability could cause that. The level of impacts is governed by the potential mission impacts and in return produces a relative value for the IT assets and resources affected (e.g., the criticality and sensitivity of the IT system components and data). The risk assessment method encompasses nine primary steps, which are described in the given below sections. It derives this functional model from the as a reference. NIST SP 800–30 framework System characterization: Characterizing an IT system establishes the scope of the risk assessment effort. The system-related information used to characterize an IT system and its operational environment. The information-gathering techniques that can solicit information relevant to the IT system processing environment. The method described in this document can apply to assessments of single or multiple, interrelated systems. Information Assets of the IT system: Identifying risk for an IT system requires a keen understanding of the system’s processing environment. The person or persons who conduct the risk assessment must therefore first collect system-related information, which is usually classified as follows: For a system that is in the initiation or design phase, we can derive system information from the design or requirements document. For an under development, it is necessary to define key security rules and attributes planned for the future IT system. Therefore, the system description based on the security provided by the underlying infrastructure or on future security plans for the IT system. IT system — — — — — — — — — — — — — — — — — — — — — — — THE END Quote of the day: “Don’t count your chickens before they’re hatched” don’t be too confident in anticipating success or good fortune before it is certain. Meaning: Thanks for reading! Have a pleasant day! Also published at https://medium.com/faun/risk-assessment-management-framework-and-its-structure-2914252ad6f0

2022 - HackerNoon Contributor of the Year - Internet

Nominated for 2022 - HackerNoon Contributor of the Year - Internet

Too Long; Didn't Read

Developers: Build Less. Deliver More. [Learn how]	

Guide to Risk Assessment Management and ISO/IEC 27002/27005

Too Long; Didn't Read

Company Mentioned

Vic

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Guide to Risk Assessment Management and ISO/IEC 27002/27005

Too Long; Didn't Read

Company Mentioned

Vic

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES