Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. Explain in plain English of the relationship between risk management and the

ID: 3534002 • Letter: 1

Question

1. Explain in plain English of the relationship between risk management and the integration of confidentiality, integrity, and availability into an information security program. Additionally, please state what you see as the greatest threat to security in an organization and why?

Note: to formulate a complete answer to this question you may also need to incorporate information from FIPS 199 and NIST-SP-800-37.

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

Explanation / Answer

Information security should be managed as a program that requires the same degree of

attention and responsibility as other resourced programs within an organization. This

paper argues for building a security management program on a foundation of business

risk assessment and risk management. It defines and explains risk, risk assessment,

risk management and relates business risk management to security risk management.

A synopsis of the steps in risk management and guidance on the key components for

effectively implementing a security risk management program into an enterprise is

provided. The reader should have a fuller understanding of the best practices

associated with risk assessment and risk management and be able to use risk analysis

to communicate with business process owners in terms of the risks to confidentiality,

integrity, and availability in their areas of concern.


Introduction

A recent report from the United Stated General Accounting Office [DAC02] found that all

24 Major Federal Agencies had significant weaknesses in security program

management. In the testimony to congress that conveyed that finding, Robert Dacey,

the Director for Information Security Issues within the GAO, explained security program

management as the framework for ensuring that risks are understood and effective

controls are selected and properly implemented. He asserted that security program

management is fundamental to the appropriate selection and effectiveness of

information security control categories e.g., access, software change, segregation of

duties, system software, and service continuity. He also testified that no federal agency

was doing a good job of managing their respective security programs. While the GAO

report was specifically directed toward federal agencies, the principle of treating security

as a program that required effective management is applicable to all organizations that

rely on information technology for their competitive edge or their survival.

Security program management covers a range of activities; it is based on the foundation

of understanding information security risks, selecting and implementing controls

commensurate with the risk, and ensuring that controls, once implemented, continue to

operate effectively. The integration of identifying and assessing risks into the

management procedures and the organizational culture is essential for security program management. This should not be news; assessing and managing (or accepting) risks

are commonly accepted business practices throughout effective organizations. In the

most basic terms, risk management includes assessing which assets are critically

important to the organization, what threats may impact those critical assets, what risks

to the organization evolve if those threats are realized, and how to manage, mitigate, or

accept the identified risks.

Risk assessment and risk management are not single shots but rather are continuous

processes repeated as a cycle of identifying risks, creating plans to address those risks,

acting on those plans, and monitoring the results of the actions. This paper will examine

the relationship of risk and risk management to an effective security management

program.

Business Risk Management

Almost all business decisions need grounding in the potential cost of inaction compared

to the cost of actions to reduce the risks. Risk is simply the possibility of suffering harm

of loss. More formally, risk is the net negative impact of the exercise of vulnerability,

considering both the probability and the impact of the occurrence [STO01]. Risk is a

function of a threat-source

Related Questions

1. Explain how aerobic pathways permit generation of more ATP than anaerobic pat
Question #199563
1. Explain how an understanding of the size of the forces developed by the low b
Question #1506241
1. Explain how and when a pure substance can absorb heat energy and not change i
Question #577022
1. Explain how and when a pure substance can absorb heat energy and not change i
Question #1080783
1. Explain how bar charts and activity network diagrams provide different views
Question #3750137
1. Explain how both H0- and lipid-soluble hormones are said to be genetically co
Question #279741
1. Explain how buffers resist changes in pH ufe resist y usng the t to neu tre i
Question #1030020
1. Explain how carbohydrates, lipids, proteins and nucleic acids exhibit emergen
Question #192885

Navigate

Previous
1. Explain in detail why it is important to distinguish product cost from period
Next
1. Explain in words why each recurrence relation is represented by the given des

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.