Information Security Risk Management Basics

Risk management is just as important in information security as it is in physical security.  Identifying and assessing risk in information security follows the same basic path as for physical security.

The first step in risk identification is to inventory information assets.  These include the following components as outlined in Whitman & Mattord (2010):

  1. People
    1. Inside the organization
    2. Outside the organization
  2. Procedures
    1. IT and business standard procedures
    2. IT and business sensitive procedures
  3. Data
    1. Transmission
    2. Processing
    3. Storage
  4. Software
    1. Applications
    2. Operating systems
    3. Security components
  5. Hardware
    1. Systems and peripherals
    2. Security devices
  6. Networking
    1.  Intranet components
    2. Internet or extranet components

After they have been identified, then they are prioritized, assessed for criticality to the organization should they fail, and evaluated by each threat each asset faces including likelihood of attack (Whitman & Mattord, 2010).

Risk analysis and management is a time-consuming, but essential process in securing an organization.

Some additional resources for Information Security Risk Management include:



Whitman, M. E. and Mattord, H. J. (2010).  Management of Information Security, Third Edition.  Boston: Cengage Learning.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s