14.4 SummaryMuch of this book has focused on the OCTAVE approach and the need for organizations to assess their information security risks. Recall from Chapter 2 that one of the information security risk evaluation principles is foundation for a continuous process (see Figure 14-2). This principle states that the results of an information security risk evaluation provide the foundation for improvement. To realize any improvement in its security posture, an organization must implement the results of information security risk evaluations. This chapter presented a framework for managing information security risks. The framework provides basic requirements for an information security risk management approach. In defining this approach, we have merged the asset-driven, risk-based concepts from OCTAVE with general risk management concepts commonly used in other domains to create a comprehensive approach for managing information security risks in an organization. A risk-based approach enables organizations to develop solution strategies tailored to their unique environments. We view using information security risk evaluations to improve an organization's security posture as a sound business practice. Since most organizations rely upon access to electronic data to conduct business, the data need to be adequately protected from misuse. The ability of an organization to achieve its mission and meet its business objectives is directly linked to the state of its computing infrastructure and the manner in which people interact with it. For an organization to be in the best position to achieve its mission, its people need to understand both which information-related assets are important and what they need to do to protect those assets. We believe that a self-directed, risk-based approach for managing information security can help put organizations in a better position to achieve their missions. |