| <!-- @page { margin: 2cm } P { margin-bottom: | | | | each risk identified is either treated (in order to reduce |
| 0.21cm } --> | | | | it) or ignored but noted (if it is small enough to be |
| More and more nowadays, businesses of all sizes are | | | | acceptable). Most risks will be treated in some way, |
| opting to implement an information security | | | | using so-called "countermeasures" to do one or more |
| management system (ISMS). This is the set of policies | | | | of the following: |
| to manage the security of an organisation's information | | | | |
| assets. Central to any such system is a risk | | | | Decrease the probability of the threat materialising in |
| assessment. This is a formal evaluation of all the risks | | | | the first place. |
| applying to the organisation's information assets, | | | | Decrease the potential impact on the business in case |
| together with a ranking of those risks according to the | | | | the threat does materialise, |
| probability and estimated impact on the business. An | | | | Minimise the time and resources needed to recover |
| example of a risk assessment procedure for | | | | from the situation |
| information security is as follows: | | | | |
| | | | | The countermeasures (or "controls") are measures or |
| Create a list of all the information assets and assess | | | | equipment installed to pre-emptively reduce the risk. |
| their value to the organisation | | | | For example, a business might implement a regular |
| Brainstorm all the possible threats that could apply to | | | | backup of all data, and would specify a new operating |
| the assets: e.g. contact details could be destroyed by | | | | procedure to cover this, together with the necessary |
| a catastrophic disk failure on the PC where it is stored. | | | | technology to carry out the backup. |
| For each asset, outline its vulnerability to each threat | | | | |
| (e.g. the information stored in on a PC is more | | | | This was a very simple example of what might be |
| vulnerable to a disk failure than stored on a server. | | | | involved in a risk assessment for information security. |
| Evaluate the impact on the business: e.g. loss of client | | | | However, it is not only data or equipment that might be |
| contact details could lead to termination of a contract | | | | compromised: people as well can be seen as relevant |
| or the business. The impact can be estimated | | | | assets. For example, if your systems administrator is |
| quantitatively (in terms of e.g. money lost) or | | | | lured away to a rival company, you might find the |
| qualitatively (in terms of e.g. broad categories such as | | | | business no longer has anyone who knows how to |
| "negligible", "moderate", "catastrophic"). | | | | configure the computer system. This type of risk also |
| Assign a probability to this risk (fairly high, in this case). | | | | needs to be managed. |
| Map these findings into a risk matrix, showing the | | | | |
| probability graphed against the impact, for each risk. | | | | Clearly, a risk assessment is a fundamental |
| The set of all risk matrices is the "risk register", which is | | | | component of an organisation's risk management |
| the outcome of the risk assessment process. | | | | process, which in turn forms part of the overall |
| | | | | business process management at the heart of a |
| The outcome of the risk assessment will then drive | | | | successful business. |
| the subsequent process of risk treatment, whereby | | | | |