1c: Risk Evaluation

COBIT 5 Enabling Processes 

NIST SP 800-60v1r1 – Guide for mapping information types to security categories

NIST SP 800-60v2r1 – Appendix

Lecture presentation

Quiz and solutions

 

What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?

What is an information risk profile? How is it used?  Why is it critical to the success of an organization’s risk management strategies and activities?

How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain?  How should the business use the risk profile?