In order to effectively protect and maintain your information assets, risks need to be assessed and managed. Risk management can be a daunting process to those without any experience or education on the topic, so we put together a basic summary of terms and processes to make it a little less intimidating.
Terms:
Risk Management: Taking action to mitigate risks after identifying and assessing the weight of the risks
Risk Identification: Recognizing, cataloging, and documenting any risks to assets
Risk Assessment: Determining how exposed an organization’s information assets are to risk
Risk Control: Putting controls in place to reduce the risk to assets
Residual Risk: Risk that remains after controls are implemented
Risk Appetite/ Tolerance: The amount of risk that an organization deems as acceptable due to the inability to achieve perfect security while still allowing reasonable accessibility
Asset Valuation: Assigning financial value to information assets. Information assets are broken down into three categories: People, Procedures, and Data.
Risk management is the umbrella term that encapsulates risk identification, assessment, and control. Each of these categories can be further broke down as well. The steps of each process are listed below.
Risk Identification:
- Identify, inventory, & categorize assets
- Classify & prioritize assets
- Identify & prioritize threats
- Specify vulnerabilities
Risk Assessment:
- Determine likelihood of asset loss
- Evaluate impact of loss
- Calculate risk
- Assess risk tolerance
Risk Control:
- Choose control strategies
- Justify controls
- Implement, monitor, and assess controls
The overall goal of risk management is to know yourself and know the enemy. In other words, you want to spend as much time identifying and evaluating your assets as you do assessing the threats and risks towards those resources. By doing so, you can accurately document vulnerabilities in an information system in order to take the appropriate steps to protect and maintain that system.
Learn more about why risk management is important here.
Visit our blog archives to read more IT and cyber related articles.