Risk management is just as important in information security as it is in physical security. Identifying and assessing risk in information security follows the same basic path as for physical security.
The first step in risk identification is to inventory information assets. These include the following components as outlined in Whitman & Mattord (2010):
- Inside the organization
- Outside the organization
- IT and business standard procedures
- IT and business sensitive procedures
- Operating systems
- Security components
- Systems and peripherals
- Security devices
- Intranet components
- Internet or extranet components
After they have been identified, then they are prioritized, assessed for criticality to the organization should they fail, and evaluated by each threat each asset faces including likelihood of attack (Whitman & Mattord, 2010).
Risk analysis and management is a time-consuming, but essential process in securing an organization.
Some additional resources for Information Security Risk Management include:
- Microsoft’s Security Risk Management Guide http://www.microsoft.com/en-us/download/details.aspx?id=6232
- DOE’s Cybersecurity Risk Management Process http://energy.gov/oe/downloads/cybersecurity-risk-management-process-rmp-guideline-final-may-2012
- A Risk Management Methodology for Information Security: The Analytic Hierarchy Process http://www.johnsaunders.com/papers/risk-ahp/risk-ahp.htm
Whitman, M. E. and Mattord, H. J. (2010). Management of Information Security, Third Edition. Boston: Cengage Learning.
- Human Factors in Information Security Management Systems (tripwire.com)
- Security As Risk Management (inforeck.wordpress.com)