Wait a second!
More handpicked essays just for you.
More handpicked essays just for you.
Principals of risk management
Don’t take our word for it - see why 10 million students trust us with their essay needs.
Recommended: Principals of risk management
An abundance of information security and risk management theories are prevalent; however, it can be difficult to identify valid and applicable theories. In the reading to follow, several information security and risk management theories are evaluated. These theories are presented and employed via various frameworks, models, and best practice guidelines. An assessment of sufficient research pertaining to these theories is addressed, along with a consideration of the challenges that arise from a lack of research.
Theories
The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then followed by the realization that the risks brought about by this boundless facilitator must be appropriately understood and addressed. The essence of information security and risk management is to identify low vs. high-risk systems and processes, followed by appropriately addressing those risks.
Risk Management Theory. The Risk Management Theory has been around for quite some time. According to Hong, Chi, Chao, and Tang (2003), risks pertaining to IT security can be measured and evaluated by means of assessing potential attack vectors, and susceptibilities to the organization’s systems and processes. The authors suggest that the outcome of this evaluation allows for the identification of essential security programs and the employment of IT security controls to mitigate these risks. The intended outcome of utilizing this theory is to manage risks until they are at a permissible state. The Risk Management Theory, while broad in nature, does not encompass enough of the information security and risk...
... middle of paper ...
...for-Information-Security-Introduction.pdf
ISACA (2012c). ISACA issues COBIT 5 governance framework [Press Release]. Retrieved from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/ISACA-Issues-COBIT-5-Governance-Framework.aspx
Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272-300. doi:10.1057/rm.2012.9
Leitch, M. (2010). ISO 31000:2009 - The new international standard on risk management. Risk Analysis: An International Journal, 30(6), 887-892. doi:10.1111/j.1539-6924.2010.01397.x
Purdy, G. (2010). ISO 31000:2009 - Setting a new standard for risk management. Risk Analysis: An Official Publication of the Society for Risk Analysis, 30(6), 881-886. doi:10.1111/j.1539-6924.2010.01442.x
Winkler, V. (2011). Securing the cloud. Boston: Syngress. doi:10.1016/B978-1-59749-592-9.00001-4
Bernd C Kieseier, and Hans-Peter Hartung. Also used for this paper was the article “The risk of
National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. Special Publication 800-30, 2002.
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Rousmaniere, Peter. “Facing a tough situation.” Risk & Insurance 17.7 (June 2006): 24-25. Expanded Academic ASAP. Web. 23 March 2011.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Risk matrices are tools that allow the categorization of risk using either a two, three, or four dimensional risk scoring system. Although risk assessments remain to be the most systematic and effective methods of identifying risks and determining the best methods in minimizing or removing them they are still subjective even when risk assessments are presented in an objective manner that are often based on assumptions which are subjective themselves. Nonetheless, they are an essential part of any risk management program which incorporates the processes of risk analysis and risk evaluation by separating risk that is unacceptable from those that are acceptable, but no matter what type of matric is used, risks should always be evaluated in a consistent manner. When conducting risk assessments, they are analyzed by combining estimates of severity (consequence or outcome) with the probability (frequency or likelihood) of occurrence such as in the two dimensional risk scoring system. The simplest of the three different scoring systems, the two dimensional scoring system can be further clar...
Data breaches have gone up significantly and hackers are coming up with innovative techniques of breaching the data security network. There are several challenges associated with cybersecurity management as there are a multitude of threats arising from various sources. Cybersecurity threat can have different levels of impact on an organization or a business and varies based on the industry type. According to the Securitas USA survey, manufacturing, healthcare and insurance, finance, information, and utilities saw cybersecurity as the topmost threat for their businesses (Securitas USA,
There are number of different models proposed as framework for information security but one of the best model is McCumber model which was designed by John McCumber. In this model the elements to be studied are organized in a cube structure, in which each axis indicates a dissimilar viewpoint of some information security issue and there are three major modules in each axis. This model with 27 little cubes all organized together looks similar like a Rubik's cube. There are three axes in the cube they are: goals desired, Information states, and measures to be taken. At the intersection of three axes you can research on all angles of an information security problem.
Silver Star Mines risk assessment illustrates how a company can be at great danger if proper security measures and policies are not put in effect on every business process. In fact, “an IT security risk assessment is needed for each asset in the organization that requires protection” (Stallings, 2015, p. 486). According to the initial review, Silver Star Mines risk assessment highlights the following risk areas: Supervisory Control and Data Acquisition (SCADA) at top critical risk, stored information at extreme risk, financial, procurement, production systems at high risk and e-mail services at high risks accordingly. With this in mind, management should evaluate and take proper security measures to assets that need the most protection, assets
The phrase ‘cyber risk’ means jeopardizing an organization’s financial status and revenue due to the advancement in technology (IRM, 2014). The concern with the increase growth in technology, it causes a high risk in security and privacy. Cyber risk may not only occur in big or small organizations, but also data breach in high-profile personnel’s or release of government documents. While businesses and society continue to engage in the use of technology, the potential cyber threat is really underestimated. Cyber risk management will help prevent the release of confidential and personal information to the attackers. Some examples of recent cyber attacks are the massive data breach at Target and the leak of confidential information in Panama.
Almost every business deploys the traditional security based, methods to combat the threats of cybercrime; however, this is not sufficient to fully erase the threats. Any risk based method must look at what is leaving the IT environment, as well as the data inflowing, because, what is going out holds possibly greater significance than the traditional bastion based security methods (Peltier, 2010). Organizations must comprehend how visible they are to online criminal in regard to, targets of interest, attack routes, and possible process vulnerabilities. So to better defend against attack, a simple equation provides the underpinnings of the numerical system for rating risks and is expressed by the following: Risk = consequence × (threat × vulnerability) (Peltier, 2010). This equation is superior to the standard equation that only factors in threat and vulnerability and should be used for calculating
In the contemporary world, organizations are increasingly under pressure to secure their systems against cyber-attacks that could cripple their operations. While advancements in information technology have enhanced business efficiency and profitability, they have also exposed businesses to new and emerging threats. Currently, they allocate millions of dollars to purchase and maintain programs aimed at preventing virus and malware attacks against their systems. Inevitably, technology-dependent organizations should embrace security awareness as part of their corporate culture. In the modern context, security lapses could cost organizations lots of money, valuable data, and crippled operations.
As the first step, identify potential risks plays a crucial role in the risk management process. The core purpose of identifying risk is to figure out causes of risk and analyze result caused by the risks and its probability . Hence, risk identification can begin with the source of problem, or with the problem itself. The chosen method of identifying risk may depend on culture, industry practice and compliance. The identification
Johnson, B. R. (2005). Principles of Security Management. Upper Saddle River, NJ: Pearson Prentice Hall.
The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.