1.2 Information Security Risk Evaluation and Management
Think about how much you rely upon access to information and systems to do your job. Today, information systems are essential to most organizations, because virtually all information is captured, stored, and accessed in digital form.We rely on digital data that are accessible, dependable, and protected from misuse. Systems are interconnected in ways that could not have been imagined ten years ago. Networked systems have enabled unprecedented access to information. Unfortunately, they have also exposed our information to a variety of new threats. Organizations today have implemented a wide variety of complex computing infrastructures. They need flexible approaches that enable them to understand their information-specific security risks and then to create strategies to address those risks. An organization that wishes to improve its security posture must be prepared to take the following steps:
An information security risk evaluation is a process that can help you meet these objectives. It generates an organizationwide view of information security risks. It provides a baseline that can be used to focus mitigation and improvement activities. Periodically, an organization needs to "reset" its baseline by conducting another evaluation. The time between evaluations can be predetermined (e.g., yearly) or triggered by major events (e.g., corporate reorganization, redesign of an organization's computing infrastructure). However, an information security risk evaluation is only one part of an organization's continuous information security risk management activities.
Consider what happens during an evaluation. When an organization conducts an information security risk evaluation, it performs activities to
The evaluation only provides a direction for an organization's information security activities; it does not necessarily lead to meaningful improvement. No evaluation, no matter how detailed or how expert, will improve an organization's security posture unless the organization follows through by implementing the results. After the evaluation, the organization should take the following steps:
Note that these activities are simply a plan-do-check-act cycle.
Risk Evaluation and Management
Risk evaluation is only the first step of risk management. Figure 1-1 illustrates an information security risk management framework and the "slice" that an evaluation provides. The framework highlights the operations that organizations can use to identify and address their information security risks. Chapter 14 examines the framework in some detail and presents the basic concepts behind information security risk management. One important point to note is that most information security risk management approaches rely upon the evaluation to focus subsequent mitigation and improvement activities.
Figure 1-1. Information Security Risk Evaluation Activities in Relation to an Information Security Risk Management Framework
The evaluation thus plays a central role in managing information security risks. It can help an organization assess both its organizational practices and installed technology base and can enable personnel in an organization to make information protection decisions based on potential impact on the organization. Information security risk evaluations can enable the selection of cost-effective and useful countermeasures by balancing the costs of addressing a risk against the benefits derived from avoiding the negative impact. They can also allow an organization to focus its security activities on what is important. If the organization's policies, practices, and tools are improperly "aimed," management in that organization is not effectively using its staff's time.
There are many types of information security risk evaluations available to potential users. The quality and scope of products and services vary across an extremely wide range. Many of the evaluations do not lend themselves to an organizationwide security improvement approach. The next section outlines a flexible approach to evaluating information security risks in an organization.