A strong risk management process is essential to protect an organizations information assets. Security professionals must work with their business partners to gather information about an asset and understand the consequences on confidentiality, integrity, and availability if the asset is compromised. This exercise can help categorize assets on a high, medium, and low scale, which assists in prioritization of risks and ensure adequate risk controls are implement to lower risks to an acceptable level. Another factors to consider when mitigating threats is the likelihood it can occur. With all the information assets identified, the risk management team can put the information is a risk register to identify and keep track of metadata around each risk including the risk owner, mitigation measures, etc. After the initial risk assessment, the process should reoccur every three years to ensure details on the information assets are up to date.
Hi Anthony,
Great point that you mentioned there! I also mentioned that risk management is a basic process that every organization should pay attention to and implement, because it helps to support the organization’s goals and establish a system security plan. Therefore, a strong risk management process is essential for the protection of the organization’s information assets.
Implementing security education, training, and awareness (SETA) program is a critical component of the information security program as this will ensure all employees are aware of information security principles since its their responsibility to secure the business and learn how to better protect themselves and their company’s assets. Based on the recommendations in this reading and my understanding, I would developer a SETA program as follows:
Firstly, I would evaluate and assess the major risks. For example, if the organization is facing phishing attacks, I would develop a plan around this. Next, I would go about scheduling and delivering the training. Most companies only provide annual trainings which I think is not enough. Trainings should be scheduled at least monthly and there should be a mix of training provided. The content should be relevant to the threats the company is currently facing or seasonal threats. For example, classroom-style training, weekly or monthly email reminders, self-paced tutorials. Lastly, I would test and monitor the effectiveness of the training. Testing will ensure whether the security awareness training was implemented properly, and employees paid attention to the training. For example, sending out a phishing email a few weeks after the training to see who falls victim to it. Tracking and monitoring is important as well to see how many people completed the training and how much time they spent on it. For example, if the training is self-paced tutorial with quizzes at the end, that will give an indication of how many employees completed the tutorial and passed the quiz. If employees don’t complete or fail the quiz they will be sent for further training. In the end, I would definitely recommend receiving evaluation and feedback from the employees to assess how the existing training program is working.
I thought we had to choose a section from this reading, so I highlighted security awareness and training which I think kind of ties into the risk management. However, I would like to add one key point that I took from this reading was about risk mitigation. Risk mitigation is applying appropriate controls to reduce the risk such as a software company mitigates the risk of a new software not functioning properly by releasing it in stages. I think the risk mitigation strategy illustration is quite helpful in assessing whether risk mitigation actions are necessary. A seven-step approach is used to guide the selection of security controls once it has been decided which risks are to be addressed which are prioritize actions, evaluate recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develop a safeguard implementation plan, and implement selected controls.
Risk is defined as “a function of the likelihood of a given threat source’s
exercising a particular potential vulnerability, and the resulting impact of that
adverse event on the organization. Risk management is three processes created based on federal laws, regulations, and guidelines. These processes are risk assessment, risk mitigation. and evaluation and assessment.
Risk assessments are conducted to identify and assess risks in a given environment. They can be conducted in-depth to determine the criticality and sensitivity of the system based on the CIA triad. The simplified six-step process is to first characterize the system and establish the scope of the risk assessment. Step two and three is to identify threats and vulnerabilities. Step four is made of conducitng a control analysis, and determining the likelihood and potential impact. Risk is determined and scored. In step five, control recommendations are given as a countermeasures to mitigate the risk. Lastly, results are documented so organization’s managers have sufficient information to make risk-based decisions for the organization.
Hi Wang,
I agree with you that risk analysis includes two parts, possibility and effect. The required information can be obtained through business impact analysis, which is to identify and quantify the necessary risk management capabilities. It includes investigating and disclosing the weaknesses of the company and formulating the company’s risk coping strategies. The following items can be used for impact analysis:
The frequency of using vulnerabilities, the cost of events, and the factors that make use of specific vulnerabilities.
The risk assessment process does a good job of breaking down the overall process into smaller, simpler steps that allow an organization to accurately assess their company. System characterization not only is the first step but also the most important. If things are missing from the categorization, they’re going to be omitted in the plan to secure the network or infrastructure which then leads to the weakest link, everything else can be secured to a T but if attackers see that weak link it will prove all the other defenses useless. Once everything is accounted for the next two steps are done simultaneously. The threat and vulnerability identification steps are also integral as they are the “know your enemy” steps. This is where you assess how attackers would attempt to infiltrate your system and start to plan to fix it. These first three steps have to be done as detailed and correctly as possible as they lay the foundation for the rest of the process.
You make a good point about accountability with categorization. The smallest miscalculation could potentially result in the greatest risks. Your point on threat and vulnerability identification is poignant, as we have to think like an attacker to help mitigate an attack.
I completely agree that without a solid foundation in the first steps of the assessment any further analysis is going to be wrought with misrepresentations. Understanding your business environment and the factors that affect it is half the battle when assessing risk. Of course, there is never a 100% accurate risk assessment. There are always many unknowns. COVID-19 is an excellent example of an external threat that’s never been seen before.
One key point I took away from the reading was in the second phase of the risk management process, which is risk mitigation. Once an organization has made a risk assessment plan and obtained results, they can use that data to determine the most cost-effective strategy, in terms of financial costs and costs of acceptable risk. In figure 10-4, a simplified flow chart shows if an organization should accept risk or if the risk is unacceptable and needs to be dealt with as soon as possible. If the attacker’s cost is less than the gain, and the anticipated loss is greater than the threshold of information, then the risk is unacceptable. From there, a seven-step process determines how to mitigate the associated risk. This includes prioritizing actions, evaluate recommended control options, conduct cost-benefit analysis, select controls, assign responsibility, develop a safeguard implementation plan, and implement the selected controls. Once all those steps are achieved, then the organization can move to the final phase of the risk management process, which is evaluation and assessment.
Risk management process need to treated as an essential management function of the organization that is tightly woven into the system development life cycle (SDLC), It’s include the 8 steps.
Risk management has three processes, there are: risk mitigation, and evaluation and assessment. The risk management process also need to meet the FISMA requirements.
The goal of risk assessment process is to identify and assess the risks to a given environment. They can be conducted in-depth to determine the criticality and sensitivity of the system based on these three way confidentiality, integrity, and availability. The six step processes can help organization analyze the level of risk. And this risk assessment process is usually repeated at least every three years for federal agencies. However, risk assessments should be conducted and integrated into the SDLC for information systems is because it is a good practice and supports the organization’s business objectives or mission.
In complete agreement! Though unless you are a federal institution bound by some of these regulations, the documentation referenced can be used as a tool to set your company up with the best industry practices. Many of the criteria in the Publications do not necessarily apply to the business, however. So it’s important not to go down a rabbit hole and try to implement every standard.
Risk management involves three processes, risk assessment, risk mitigation, and evaluation and assessment. Risk assessment is a processes that identifies and assess risk within a given environment. The degree of risk is assigned a value based on the criticality and sensitivity of an information system as it applies to confidentiality, integrity, and availability. Risk mitigation involves evaluating a potential risk, prioritizing it, and finally implementing the appropriate controls to defend against it. The evaluation and assessment stage of the risk management process involves documenting any and all changes made to an information system. It is important to document any changes made to a system to ensure that the new changes do not introduce any further risk.
Hi, Anthony. I agree with you that risk assessment is a process that identifies and assess risks within a given environment, such as cloud computing, workstation, or AI machine learning. I think the purpose of risk management is to mitigate the loss of confidentiality, integrity, and availability, but we need to organize the process. If we mass up the procedure, we may solve the issue inefficiently or ineffectively.
The base for a strong and robust Information Security Program is the identification of vulnerabilities and threats. Without proper categorization and risk analysis of each combination and security protocol will “propagate and lead to a cascade of analytical errors.” A thorough risk assessment considers the business vision and mission and allow the technical group to align it’s resources and analysis against those critical business goals. That alignment to the business is the root driver in the implementation of a Security Program. The steps that follow are the procedures taken to satisfy the needs of the business but that initial identification and categorization is critical to the rest of the process.
For this reading, I was able to take away that there will always be risk in an organization. The risk needs to be identified, mitigated and evaluated. Each organization needs to ID the vulnerabilities which they are exposed to and find out which controls are necessary to help mitigate the risk. The impact of the risk may be extreme or minimal. The controls and mitigations which need to be put in place are determined based on the risk of impact. As the organization changes over time, the risk needs to be re-evaluated to make sure the organization is protected and they are minimizing risk where they can.
Hi Jonathan….I like your points that a take away from this specific reading is that the risk management process is a cycle not a once and done exercise. The consistent and constant re-evaluation of risk is what allows organizations to shift their mitigation strategy to respond to new threats and vulnerabilities.
Hi Jonathan this is a great point that I agree with! Risk is inevitable especially with how complex enterprises are now there will always be risks associated to the organization. Perhaps some might be greater than others but they are still risks! to face/mitigate these risks it is critical that all the threats and vulnerabilities are identified. Risk assessment then helps establish and edit current controls to mitigate these risks.
I think the security awareness and training program is a critical component of the information security program. An effective risk management process is an important component of a successful information security program. First, risk identification refers to the process in which the project managers along with the other team members as well as other relevant people generate the probable risks for a specific project or event. A frequently used tool to help project managers and other responsible people to identify the probable risks and dangers in a project is the risk breakdown structures. People responsible for risk identification as to a specific project should cooperate to brainstorm and use the critical thinking skills to identify different kinds of probable risks and dangers. An effective risk identification process can pave a way for the later steps during the entire risk identification process. Second, risk assessment is the second step of the risk management process.
I think you raise a good point that the security awareness and training are critical for the security program of an organization. The internal employees are always going to be the biggest risk to the company. Ensuring training is done on a routine basis is extremely important to help mitigate risk.
Hi,Junhan, thank you for sharing your points, I am totally agree with your points. the staff security awareness training is a necessary part in the information security program, Most of the employees lack the basic security awareness and cause a huge financial loss in corporate. And the employee are usually the No.1 risk in IT risk.
This chapter focuses on the importance of an effective risk management process to have a successful information security program. This chapter highlights a reduced six step risk assessment process (listed below) targeted to identify and access the risks faced by an organization.
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Risk analysis
5. Control recommendations
6. Results documentation
This is a clear systematic process as it is important to identify all the threats and vulnerabilities to perform required risk analysis . This risk analysis can be used to then recommend controls and mitigation strategies. Each step in this multi step process is critical to get valuable risk assessment and improvise this process over time.
Hi Prince, although the three processes are all important in facilitating risk management, risk assessment is in my opinion, the most important. By understanding the scope of the organization’s risk, we can make sound judgement about what resources should be invested to better understand these vulnerabilities.
I agree, the multistep process must be carried out in full to properly assess the risk in the organization’s scope.
I think that it is important to understand how to use risk assessment to mitigate the risk. We can step by step to implement the risk assessment. First, we need to thoroughly understand the business environment, such as the components of the system and types of information. After this, we can explore and evaluate the weaknesses in the system, and we identify where is the vulnerability in the system. In doing this, we need a risk analysis to determine the issues that can affect the operation and implement it to avoid or mitigate the risks. Also, we can use the risk level matrix to decide the risk, which we should focus more on controlling. If the risk likelihood and impact are high, we need to pay more attention to control the risk. The matrix can help us to make risk assessment more efficient and effective. When we may have a similar issue occur, we can use the previous risk assessment as a guideline to solve the problem. Therefore, I think the risk assessment is very helpful and useful for organizations to solve their problems.
You make a good point of understanding the importance of how to use risk assessment to mitigate the risk. The first step is definitely to understand the business environment to identify the information system boundaries, resources, and information. This step includes components such as hardware, software, data, people, information flows throughout the system, etc. This step is very important as this will ensure the best view of the risk profile of the system. The first step is a foundation on which the other steps will be built upon.
Step 1 – System Characterization
The purpose of characterizing the system is to determine the system’s appropriate security categorization. Organizations use questionnaires, interviews, documentation reviews, and automated scanning tools to collect the information needed to fully characterize the system. At a minimum these types of information is needed when characterizing the system. Hardware Software External interfaces to other systems Data and People.
Threat identification consists of identifying threat sources with the potential to exploit weaknesses in the system.
The Most Common threats:
natural threats
human threats
environmental threats
I felt that this was the most important thing I took away as well. Because this step is first, all other steps are going to build off of this, so if anything this step has to be done in the most complete and detailed way as everything will be built off of this. If sections or departments are omitted, it will have a ripple effect and leave a vulnerability in the system.
Risk Management is an important function in any organization. This chapter of NIST SP 800-100 outlines the steps of risk management process for federal agencies and the publications related to each of the steps. A key point that I took from the reading is that risk management is a continuous cycle. The cycle has three processes. The first is risk assessment which includes system characterization, threat identification, vulnerability identification, risk analysis, control analysis, likelihood determination, impact analysis, risk determination and control recommendations which are all summarized in results documentation. The next process is risk mitigation where control actions are prioritized, assessed against recommended control options, a cost / benefit analysis of the control options is completed, the controls are selected and control owners designated, an implementation plan is developed and control implementation is completed. Finally, the controls are evaluated and assessed to ensure that new threats or vulnerabilities exist, that the controls are still effective for the risks they were designed to mitigate and that the authorizing individual is willing to certify that the information system complies within a threshold determined by the agency. In essence the risk management cycle continues to iterate as the environment, threats and vulnerabilities change over time.
Risk management can not only protect the information assets of the organization, but also help the organization to operate normally. Risk management is an aggregation of three processes risk assessment, risk mitigation, and evaluation and assessment.
Risk assessment is a process of identifying and assessing the risks, including assessing the probability of occurrence of the risk, the severity of the risk, the time and so on. At the same time, risk assessment will also include the confidentiality, integrity and availability of information. Risk mitigation reduces risks by determining the priority of risks, evaluating and implementing appropriate control measures, because risks cannot be completely eliminated. Risk evaluation and assessment is the last step of risk management, assessing the existing environment to deal with the rapidly changing environment.
Risk management refers to how to minimize risks in a project or enterprise in a risky environment. Risk management refers to the management method that selects the most effective way through the understanding, measurement, and analysis of risks, and deals with risks proactively, purposefully, and planned, and strives to obtain the greatest safety guarantee at the lowest cost.
Among all the points mentioned in this chapter, I think threat identification is most important.
Risk identification is the first step of risk management and the foundation of risk management. Only based on correctly identifying the risks they face can people proactively choose appropriate and effective methods to deal with. It is fundamental to risk management because if you cannot identify the risk, you cannot prevent it.
I agree with you that threat identification is important, but I would argue system categorization is the most important step. This step helps determine how critical and sensitive the data is within the system. Then similarly to what you stated, an organization can use this categorization to determine the appropriate set of controls that need to be in place in order to protect the system. Additionally, if an organization has a limited budget, this exercise can help them focus on what systems to invest their money into.
Risk management includes three main elements: risk assessment, risk mitigation and assessment and evaluation. Risk management is a basic process that every organization should pay attention to and carry out, because it helps to support the goals of the organization and establish a system security plan. The importance of embedding risk management process into system development life cycle. As the goal of risk management can protect the system and assets of the organization, and enable the organization to achieve its goals and missions, risk management should be regarded as one of the main management functions, rather than as the work of safety personnel.
In the second stage of risk management, risk mitigation aims at reducing risk to an acceptable level. Figure 10-4 shows a simple strategy that can be used to determine the need for risk mitigation measures. Once deciding what risks to resolve, there is a 7 step to choose safety control. For federal agencies, authorized officials will sign to accept residual risks. If they believe that the risk has not yet been reduced to an acceptable level, they will repeat the risk management cycle to identify ways to reduce risk to acceptable levels.
Anthony Wong says
A strong risk management process is essential to protect an organizations information assets. Security professionals must work with their business partners to gather information about an asset and understand the consequences on confidentiality, integrity, and availability if the asset is compromised. This exercise can help categorize assets on a high, medium, and low scale, which assists in prioritization of risks and ensure adequate risk controls are implement to lower risks to an acceptable level. Another factors to consider when mitigating threats is the likelihood it can occur. With all the information assets identified, the risk management team can put the information is a risk register to identify and keep track of metadata around each risk including the risk owner, mitigation measures, etc. After the initial risk assessment, the process should reoccur every three years to ensure details on the information assets are up to date.
Wenyao Ma says
Hi Anthony,
Great point that you mentioned there! I also mentioned that risk management is a basic process that every organization should pay attention to and implement, because it helps to support the organization’s goals and establish a system security plan. Therefore, a strong risk management process is essential for the protection of the organization’s information assets.
Priyanka Ranu says
Implementing security education, training, and awareness (SETA) program is a critical component of the information security program as this will ensure all employees are aware of information security principles since its their responsibility to secure the business and learn how to better protect themselves and their company’s assets. Based on the recommendations in this reading and my understanding, I would developer a SETA program as follows:
Firstly, I would evaluate and assess the major risks. For example, if the organization is facing phishing attacks, I would develop a plan around this. Next, I would go about scheduling and delivering the training. Most companies only provide annual trainings which I think is not enough. Trainings should be scheduled at least monthly and there should be a mix of training provided. The content should be relevant to the threats the company is currently facing or seasonal threats. For example, classroom-style training, weekly or monthly email reminders, self-paced tutorials. Lastly, I would test and monitor the effectiveness of the training. Testing will ensure whether the security awareness training was implemented properly, and employees paid attention to the training. For example, sending out a phishing email a few weeks after the training to see who falls victim to it. Tracking and monitoring is important as well to see how many people completed the training and how much time they spent on it. For example, if the training is self-paced tutorial with quizzes at the end, that will give an indication of how many employees completed the tutorial and passed the quiz. If employees don’t complete or fail the quiz they will be sent for further training. In the end, I would definitely recommend receiving evaluation and feedback from the employees to assess how the existing training program is working.
Priyanka Ranu says
I thought we had to choose a section from this reading, so I highlighted security awareness and training which I think kind of ties into the risk management. However, I would like to add one key point that I took from this reading was about risk mitigation. Risk mitigation is applying appropriate controls to reduce the risk such as a software company mitigates the risk of a new software not functioning properly by releasing it in stages. I think the risk mitigation strategy illustration is quite helpful in assessing whether risk mitigation actions are necessary. A seven-step approach is used to guide the selection of security controls once it has been decided which risks are to be addressed which are prioritize actions, evaluate recommended control options, conduct cost-benefit analyses, select controls, assign responsibility, develop a safeguard implementation plan, and implement selected controls.
Mei X Wang says
Risk is defined as “a function of the likelihood of a given threat source’s
exercising a particular potential vulnerability, and the resulting impact of that
adverse event on the organization. Risk management is three processes created based on federal laws, regulations, and guidelines. These processes are risk assessment, risk mitigation. and evaluation and assessment.
Risk assessments are conducted to identify and assess risks in a given environment. They can be conducted in-depth to determine the criticality and sensitivity of the system based on the CIA triad. The simplified six-step process is to first characterize the system and establish the scope of the risk assessment. Step two and three is to identify threats and vulnerabilities. Step four is made of conducitng a control analysis, and determining the likelihood and potential impact. Risk is determined and scored. In step five, control recommendations are given as a countermeasures to mitigate the risk. Lastly, results are documented so organization’s managers have sufficient information to make risk-based decisions for the organization.
Haozhe Lin says
Hi Wang,
I agree with you that risk analysis includes two parts, possibility and effect. The required information can be obtained through business impact analysis, which is to identify and quantify the necessary risk management capabilities. It includes investigating and disclosing the weaknesses of the company and formulating the company’s risk coping strategies. The following items can be used for impact analysis:
The frequency of using vulnerabilities, the cost of events, and the factors that make use of specific vulnerabilities.
Austin Mecca says
The risk assessment process does a good job of breaking down the overall process into smaller, simpler steps that allow an organization to accurately assess their company. System characterization not only is the first step but also the most important. If things are missing from the categorization, they’re going to be omitted in the plan to secure the network or infrastructure which then leads to the weakest link, everything else can be secured to a T but if attackers see that weak link it will prove all the other defenses useless. Once everything is accounted for the next two steps are done simultaneously. The threat and vulnerability identification steps are also integral as they are the “know your enemy” steps. This is where you assess how attackers would attempt to infiltrate your system and start to plan to fix it. These first three steps have to be done as detailed and correctly as possible as they lay the foundation for the rest of the process.
Krish Damany says
Hi Austin,
You make a good point about accountability with categorization. The smallest miscalculation could potentially result in the greatest risks. Your point on threat and vulnerability identification is poignant, as we have to think like an attacker to help mitigate an attack.
Vanessa Marin says
I completely agree that without a solid foundation in the first steps of the assessment any further analysis is going to be wrought with misrepresentations. Understanding your business environment and the factors that affect it is half the battle when assessing risk. Of course, there is never a 100% accurate risk assessment. There are always many unknowns. COVID-19 is an excellent example of an external threat that’s never been seen before.
Krish Damany says
One key point I took away from the reading was in the second phase of the risk management process, which is risk mitigation. Once an organization has made a risk assessment plan and obtained results, they can use that data to determine the most cost-effective strategy, in terms of financial costs and costs of acceptable risk. In figure 10-4, a simplified flow chart shows if an organization should accept risk or if the risk is unacceptable and needs to be dealt with as soon as possible. If the attacker’s cost is less than the gain, and the anticipated loss is greater than the threshold of information, then the risk is unacceptable. From there, a seven-step process determines how to mitigate the associated risk. This includes prioritizing actions, evaluate recommended control options, conduct cost-benefit analysis, select controls, assign responsibility, develop a safeguard implementation plan, and implement the selected controls. Once all those steps are achieved, then the organization can move to the final phase of the risk management process, which is evaluation and assessment.
Zhen Li says
Risk management process need to treated as an essential management function of the organization that is tightly woven into the system development life cycle (SDLC), It’s include the 8 steps.
Risk management has three processes, there are: risk mitigation, and evaluation and assessment. The risk management process also need to meet the FISMA requirements.
The goal of risk assessment process is to identify and assess the risks to a given environment. They can be conducted in-depth to determine the criticality and sensitivity of the system based on these three way confidentiality, integrity, and availability. The six step processes can help organization analyze the level of risk. And this risk assessment process is usually repeated at least every three years for federal agencies. However, risk assessments should be conducted and integrated into the SDLC for information systems is because it is a good practice and supports the organization’s business objectives or mission.
Vanessa Marin says
In complete agreement! Though unless you are a federal institution bound by some of these regulations, the documentation referenced can be used as a tool to set your company up with the best industry practices. Many of the criteria in the Publications do not necessarily apply to the business, however. So it’s important not to go down a rabbit hole and try to implement every standard.
Anthony Messina says
Risk management involves three processes, risk assessment, risk mitigation, and evaluation and assessment. Risk assessment is a processes that identifies and assess risk within a given environment. The degree of risk is assigned a value based on the criticality and sensitivity of an information system as it applies to confidentiality, integrity, and availability. Risk mitigation involves evaluating a potential risk, prioritizing it, and finally implementing the appropriate controls to defend against it. The evaluation and assessment stage of the risk management process involves documenting any and all changes made to an information system. It is important to document any changes made to a system to ensure that the new changes do not introduce any further risk.
Cami Chen says
Hi, Anthony. I agree with you that risk assessment is a process that identifies and assess risks within a given environment, such as cloud computing, workstation, or AI machine learning. I think the purpose of risk management is to mitigate the loss of confidentiality, integrity, and availability, but we need to organize the process. If we mass up the procedure, we may solve the issue inefficiently or ineffectively.
Vanessa Marin says
The base for a strong and robust Information Security Program is the identification of vulnerabilities and threats. Without proper categorization and risk analysis of each combination and security protocol will “propagate and lead to a cascade of analytical errors.” A thorough risk assessment considers the business vision and mission and allow the technical group to align it’s resources and analysis against those critical business goals. That alignment to the business is the root driver in the implementation of a Security Program. The steps that follow are the procedures taken to satisfy the needs of the business but that initial identification and categorization is critical to the rest of the process.
Jonathan Castelli says
For this reading, I was able to take away that there will always be risk in an organization. The risk needs to be identified, mitigated and evaluated. Each organization needs to ID the vulnerabilities which they are exposed to and find out which controls are necessary to help mitigate the risk. The impact of the risk may be extreme or minimal. The controls and mitigations which need to be put in place are determined based on the risk of impact. As the organization changes over time, the risk needs to be re-evaluated to make sure the organization is protected and they are minimizing risk where they can.
Heather Ergler says
Hi Jonathan….I like your points that a take away from this specific reading is that the risk management process is a cycle not a once and done exercise. The consistent and constant re-evaluation of risk is what allows organizations to shift their mitigation strategy to respond to new threats and vulnerabilities.
Prince Patel says
Hi Jonathan this is a great point that I agree with! Risk is inevitable especially with how complex enterprises are now there will always be risks associated to the organization. Perhaps some might be greater than others but they are still risks! to face/mitigate these risks it is critical that all the threats and vulnerabilities are identified. Risk assessment then helps establish and edit current controls to mitigate these risks.
Junhan Hao says
I think the security awareness and training program is a critical component of the information security program. An effective risk management process is an important component of a successful information security program. First, risk identification refers to the process in which the project managers along with the other team members as well as other relevant people generate the probable risks for a specific project or event. A frequently used tool to help project managers and other responsible people to identify the probable risks and dangers in a project is the risk breakdown structures. People responsible for risk identification as to a specific project should cooperate to brainstorm and use the critical thinking skills to identify different kinds of probable risks and dangers. An effective risk identification process can pave a way for the later steps during the entire risk identification process. Second, risk assessment is the second step of the risk management process.
Jonathan Castelli says
I think you raise a good point that the security awareness and training are critical for the security program of an organization. The internal employees are always going to be the biggest risk to the company. Ensuring training is done on a routine basis is extremely important to help mitigate risk.
Zhen Li says
Hi,Junhan, thank you for sharing your points, I am totally agree with your points. the staff security awareness training is a necessary part in the information security program, Most of the employees lack the basic security awareness and cause a huge financial loss in corporate. And the employee are usually the No.1 risk in IT risk.
Prince Patel says
This chapter focuses on the importance of an effective risk management process to have a successful information security program. This chapter highlights a reduced six step risk assessment process (listed below) targeted to identify and access the risks faced by an organization.
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Risk analysis
5. Control recommendations
6. Results documentation
This is a clear systematic process as it is important to identify all the threats and vulnerabilities to perform required risk analysis . This risk analysis can be used to then recommend controls and mitigation strategies. Each step in this multi step process is critical to get valuable risk assessment and improvise this process over time.
Mei X Wang says
Hi Prince, although the three processes are all important in facilitating risk management, risk assessment is in my opinion, the most important. By understanding the scope of the organization’s risk, we can make sound judgement about what resources should be invested to better understand these vulnerabilities.
I agree, the multistep process must be carried out in full to properly assess the risk in the organization’s scope.
Cami Chen says
I think that it is important to understand how to use risk assessment to mitigate the risk. We can step by step to implement the risk assessment. First, we need to thoroughly understand the business environment, such as the components of the system and types of information. After this, we can explore and evaluate the weaknesses in the system, and we identify where is the vulnerability in the system. In doing this, we need a risk analysis to determine the issues that can affect the operation and implement it to avoid or mitigate the risks. Also, we can use the risk level matrix to decide the risk, which we should focus more on controlling. If the risk likelihood and impact are high, we need to pay more attention to control the risk. The matrix can help us to make risk assessment more efficient and effective. When we may have a similar issue occur, we can use the previous risk assessment as a guideline to solve the problem. Therefore, I think the risk assessment is very helpful and useful for organizations to solve their problems.
Priyanka Ranu says
Hi Cami,
You make a good point of understanding the importance of how to use risk assessment to mitigate the risk. The first step is definitely to understand the business environment to identify the information system boundaries, resources, and information. This step includes components such as hardware, software, data, people, information flows throughout the system, etc. This step is very important as this will ensure the best view of the risk profile of the system. The first step is a foundation on which the other steps will be built upon.
Kyuande Johnson says
Step 1 – System Characterization
The purpose of characterizing the system is to determine the system’s appropriate security categorization. Organizations use questionnaires, interviews, documentation reviews, and automated scanning tools to collect the information needed to fully characterize the system. At a minimum these types of information is needed when characterizing the system. Hardware Software External interfaces to other systems Data and People.
Threat identification consists of identifying threat sources with the potential to exploit weaknesses in the system.
The Most Common threats:
natural threats
human threats
environmental threats
Austin Mecca says
Kyuande,
I felt that this was the most important thing I took away as well. Because this step is first, all other steps are going to build off of this, so if anything this step has to be done in the most complete and detailed way as everything will be built off of this. If sections or departments are omitted, it will have a ripple effect and leave a vulnerability in the system.
Heather Ergler says
Risk Management is an important function in any organization. This chapter of NIST SP 800-100 outlines the steps of risk management process for federal agencies and the publications related to each of the steps. A key point that I took from the reading is that risk management is a continuous cycle. The cycle has three processes. The first is risk assessment which includes system characterization, threat identification, vulnerability identification, risk analysis, control analysis, likelihood determination, impact analysis, risk determination and control recommendations which are all summarized in results documentation. The next process is risk mitigation where control actions are prioritized, assessed against recommended control options, a cost / benefit analysis of the control options is completed, the controls are selected and control owners designated, an implementation plan is developed and control implementation is completed. Finally, the controls are evaluated and assessed to ensure that new threats or vulnerabilities exist, that the controls are still effective for the risks they were designed to mitigate and that the authorizing individual is willing to certify that the information system complies within a threshold determined by the agency. In essence the risk management cycle continues to iterate as the environment, threats and vulnerabilities change over time.
Xinyi Zheng says
Risk management can not only protect the information assets of the organization, but also help the organization to operate normally. Risk management is an aggregation of three processes risk assessment, risk mitigation, and evaluation and assessment.
Risk assessment is a process of identifying and assessing the risks, including assessing the probability of occurrence of the risk, the severity of the risk, the time and so on. At the same time, risk assessment will also include the confidentiality, integrity and availability of information. Risk mitigation reduces risks by determining the priority of risks, evaluating and implementing appropriate control measures, because risks cannot be completely eliminated. Risk evaluation and assessment is the last step of risk management, assessing the existing environment to deal with the rapidly changing environment.
Zibai Yang says
Risk management refers to how to minimize risks in a project or enterprise in a risky environment. Risk management refers to the management method that selects the most effective way through the understanding, measurement, and analysis of risks, and deals with risks proactively, purposefully, and planned, and strives to obtain the greatest safety guarantee at the lowest cost.
Among all the points mentioned in this chapter, I think threat identification is most important.
Risk identification is the first step of risk management and the foundation of risk management. Only based on correctly identifying the risks they face can people proactively choose appropriate and effective methods to deal with. It is fundamental to risk management because if you cannot identify the risk, you cannot prevent it.
Anthony Wong says
Hi Zibai,
I agree with you that threat identification is important, but I would argue system categorization is the most important step. This step helps determine how critical and sensitive the data is within the system. Then similarly to what you stated, an organization can use this categorization to determine the appropriate set of controls that need to be in place in order to protect the system. Additionally, if an organization has a limited budget, this exercise can help them focus on what systems to invest their money into.
Wenyao Ma says
Risk management includes three main elements: risk assessment, risk mitigation and assessment and evaluation. Risk management is a basic process that every organization should pay attention to and carry out, because it helps to support the goals of the organization and establish a system security plan. The importance of embedding risk management process into system development life cycle. As the goal of risk management can protect the system and assets of the organization, and enable the organization to achieve its goals and missions, risk management should be regarded as one of the main management functions, rather than as the work of safety personnel.
Haozhe Lin says
In the second stage of risk management, risk mitigation aims at reducing risk to an acceptable level. Figure 10-4 shows a simple strategy that can be used to determine the need for risk mitigation measures. Once deciding what risks to resolve, there is a 7 step to choose safety control. For federal agencies, authorized officials will sign to accept residual risks. If they believe that the risk has not yet been reduced to an acceptable level, they will repeat the risk management cycle to identify ways to reduce risk to acceptable levels.