Information Risk Management: A Process Approach to Risk Diagnosis and Treatment

doi:10.1201/9781420067101-10

ABSTRACT

Contents Introduction .............................................................................................................................. 72 Th e Nature of Risk .................................................................................................................... 72

Strategic Risk ................................................................................................................... 72 Tactical Risk .................................................................................................................... 73 Operational Risk ............................................................................................................. 73

Th e Process of Risk Management .............................................................................................. 73 Information Security Program ......................................................................................... 73 Th reat Forecasting ............................................................................................................74 Incident Evaluation .......................................................................................................... 75 Risk Assessment ............................................................................................................... 75

Assessment Scope.................................................................................................... 75 Assessment Framework ............................................................................................76 Risk Quantum .........................................................................................................76 Raw Risk ................................................................................................................ 77

Risk Tolerance ................................................................................................................. 77 Avoid Risk .............................................................................................................. 77 Transfer Risk .......................................................................................................... 77

Accept Risk............................................................................................................. 77 Mitigate Risk .......................................................................................................... 78

Control Objectives ........................................................................................................... 78 Selection of Controls ........................................................................................................ 78

Discretionary Controls ........................................................................................... 78 Mandatory Controls ............................................................................................... 78

Risk Treatment ................................................................................................................ 78 Development of Action Plan ................................................................................... 78 Approval of Action Plan ......................................................................................... 79 Implementation of Action Plan ............................................................................... 79

Risk Metrics .................................................................................................................... 79 Process Metrics ....................................................................................................... 79 Program Metrics ..................................................................................................... 80 Environmental Metrics ........................................................................................... 80

Control Attributes ........................................................................................................... 80 Maturity ................................................................................................................. 80 Weight .................................................................................................................... 80

Residual Risk ................................................................................................................... 80 Summary ...................................................................................................................................81

Introduction Information security, as a subset of an organization’s overall risk management strategy, is a focused initiative to manage risk to information in any form. Risk management concepts, when applied to information risk, are readily managed within the context of an information security management system (ISMS). An ISMS is a process-based management approach and furnishes a framework to administer risk management processes.