IT risk management
Encyclopedia
The IT risk management is the application of risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

 to Information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...

 context in order to manage IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

, i.e.:
The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise


IT risk management can be considered a component of a wider Enterprise risk management
Enterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...

 system.

The establishment, maintenance and continuous update of an ISMS
Information security management system
An information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....

 provide a strong indication that a company is using a systematic approach for the identification,
assessment and management of information security risks.

Different methodologies have been proposed to manage IT risks, each of them divided in processes and steps.


According to Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

, it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.

Because risk is strictly tied to uncertainty, Decision theory
Decision theory
Decision theory in economics, psychology, philosophy, mathematics, and statistics is concerned with identifying the values, uncertainties and other issues relevant in a given decision, its rationality, and the resulting optimal decision...

 should be applied to manage risk as a science, i.e. rationally making choices under uncertainty.

Generally speaking, risk
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

 is the product of likelihood times impact
Result
A result is the final consequence of a sequence of actions or events expressed qualitatively or quantitatively. Possible results include advantage, disadvantage, gain, injury, loss, value and victory. There may be a range of possible outcomes associated with an event depending on the point of...

 (Risk = Likelihood * Impact).

The measure of a IT risk can be determined as a product of threat, vulnerability and asset values:

Risk = Threat * Vulnerability * Asset

Definitions


The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

 and threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

 to the information resources used by an organization in achieving business objectives, and deciding what countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."

There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing iterative process
Business process
A business process or business method is a collection of related, structured activities or tasks that produce a specific service or product for a particular customer or customers...

. It must be repeated indefinitely. The business environment is constantly changing and new threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

 and vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

 emerge every day. Second, the choice of countermeasure (computer)
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

s (controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.

Risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

 is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives.

The head of an organizational unit must ensure that the organization has the capabilities needed to accomplish its mission. These mission owners must determine the security capabilities that their IT systems must have to provide the desired level of mission support in the face of real world threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

s. Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

 for providing the mission-essential security capabilities.

Risk management in the IT world is quite a complex, multi faced activity, with a lot of relations with other complex activities. The picture show the relationships between different related terms.

National Information Assurance Training and Education Center
National Information Assurance Training and Education Center
The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...

 defines risk in the IT field as:
  1. The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtain and maintain DAA approval. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis
    Risk analysis (engineering)
    Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...

    , certification, and approval.
  2. An element of managerial science concerned with the identification, measurement, control, and minimization of uncertain events. An effective risk management program encompasses the following four phases:
    1. a Risk assessment, as derived from an evaluation of threats and vulnerabilities.
    2. Management decision.
    3. Control implementation.
    4. Effectiveness review.
  3. The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis
    Risk analysis (engineering)
    Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...

    , cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems review.
  4. The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. lt indudes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

Risk management as part of enterprise risk management

Some organizations have, and many others should have, a comprehensive Enterprise risk management
Enterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...

 (ERM) in place. The four objectives categories addressed, according to COSO are:
  • Strategy - high-level goals, aligned with and supporting the organization's mission
  • Operations - effective and efficient use of resources
  • Financial Reporting - reliability of operational and financial reporting
  • Compliance - compliance with applicable laws and regulations

According to Risk It
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

 framework by ISACA, IT risk is transversal to all four categories. The IT risk should be managed in the framework of Enterprise risk management: Risk appetite
Risk appetite
Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...

 and Risk sensitivity of the whole enterprise should guide the IT risk management process. ERM should provide the context and business objectives to IT risk management

Risk management methodology

The term methodology
Methodology
Methodology is generally a guideline for solving a problem, with specificcomponents such as phases, tasks, methods, techniques and tools . It can be defined also as follows:...

 means an organized set of principles and rules that drive action in a particular field of knowledge.
A methodology does not describe specific methods; nevertheless it does specify several processes that need to be followed. These processes constitute a generic framework. They may be broken down in sub-processes, they may be combined, or their sequence may change. However, any risk management exercise must carry out these processes in one form or another, The following table compare the processes foreseen by three leading standards. ISACA Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

 framework is more recent. The Risk IT Practitioner-Guide compares Risk IT and ISO 27005.
The overall comparison is illustrated in the following table.
Risk management constituent processes
ISO/IEC 27005:2008 BS 7799-3:2006 SP 800-30 Risk IT
Context establishment Organizational context RG and RE Domains more precisely
  • RG1.2 Propose IT risk tolerance,
  • RG2.1 Establish and maintain accountability for IT risk management
  • RG2.3 Adapt IT risk practices to enterprise risk practices,
  • RG2.4 Provide adequate resources for IT risk management,
  • RE2.1 Define IT risk analysis scope.
Risk assessment Risk assessment Risk assessment
RE2 process includes:
  • RE2.1 Define IT risk analysis scope.
  • RE2.2 Estimate IT risk.
  • RE2.3 Identify risk response options.
  • RE2.4 Perform a peer review of IT risk analysis.

In general, the elements as
described in the ISO 27005 process are all included in
Risk IT; however, some are structured and named
differently.
Risk treatment Risk treatment and management decision making Risk mitigation
  • RE 2.3 Identify risk response options
  • RR2.3 Respond to discovered risk exposure and opportunity
Risk acceptance RG3.4 Accept IT risk
Risk communication Ongoing risk management activities
  • RG1.5 Promote IT risk-aware culture
  • RG1.6 Encourage effective communication of IT risk
  • RE3.6 Develop IT risk indicators.
  • Risk monitoring and review Evaluation and assessment
  • RG2 Integrate with ERM.
  • RE2.4 Perform a peer review of IT risk analysis.
  • RG2.5 Provide independent assurance over IT risk management

  • Due to the probabilistic nature and the need of cost benefit analysis, the IT risks are managed following a process that accordingly to NIST SP 800-30 can be divided in the following steps:
    1. risk assessment
      Risk assessment
      Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

      ,
    2. risk mitigation, and
    3. evaluation
      Evaluation
      Evaluation is systematic determination of merit, worth, and significance of something or someone using criteria against a set of standards.Evaluation often is used to characterize and appraise subjects of interest in a wide range of human enterprises, including the arts, criminal justice,...

       and assessment
      Assessment
      Educational assessment is the process of documenting, usually in measurable terms, knowledge, skills, attitudes and beliefs. Assessment can focus on the individual learner, the learning community , the institution, or the educational system as a whole...

      .


    Effective risk management must be totally integrated into the Systems Development Life Cycle
    Systems Development Life Cycle
    The systems development life cycle , or software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.In software engineering...

    .

    Information risk analysis
    Risk analysis (engineering)
    Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...

     conducted on applications, computer installations, networks and systems under development should be undertaken using structured methodologies.

    Context establishment

    This step is the first step in ISO ISO/IEC 27005
    ISO/IEC 27005
    ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...

     framework. Most of the elementary activities are foreseen as the first sub process of Risk assessment according to NIST SP 800-30.
    This step implies the acquisition of all relevant information about the organization and the determination of the basic criteria, purpose, scope and boundaries of risk management activities and the organization in charge of risk management activities. The purpose is usually the compliance with legal requirements and provide evidence of due diligence supporting an ISMS that can be certified. The scope can be an incident reporting plan, a business continuity plan.

    Another area of application can be the certification of a product.

    Criteria include the risk evaluation, risk acceptance and impact evaluation criteria. These are conditioned by:
    • legal and regulatory requirements
    • the strategic value for the business of information processes
    • stakeholder expectations
    • negative consequences for the reputation of the organization


    Establishing the scope and boundaries, the organization should be studied: its mission, its values, its structure; its strategy, its locations and cultural environment. The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.

    Organization for security management

    The set up of the organization in charge of risk management is foreseen as partially fulfilling the requirement to provide the resources needed to establish, implement, operate, monitor, review, maintain and improve an ISMS. The main roles inside this organization are:
    • Senior Management
    • Chief information officer
      Chief information officer
      Chief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...

       (CIO)
    • System and Information owners
    • the business and functional managers
    • the Information System Security Officer (ISSO) or Chief information security officer
      Chief information security officer
      A chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected...

       (CISO)
    • IT Security Practitioners
    • Security Awareness Trainers

    Risk assessment

    Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control and monitoring of implemented measurements and the enforced security policy. On the contrary, Risk Assessment is executed at discrete time points (e.g. once a year, on demand, etc.) and – until the performance of the next assessment - provides a temporary view of assessed risks and while parameterizing the entire Risk Management process.
    This view of the relationship of Risk Management to Risk Assessment is depicted in figure as adopted from OCTAVE.

    Risk assessment is often conducted in more than one iteration, the first being a high-level assessment to identify high risks, while the other iterations detailed the analysis of the major risks and other risks.

    According to National Information Assurance Training and Education Center
    National Information Assurance Training and Education Center
    The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...

     risk assessment in the IT field is:
    1. A study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures. Managers use the results of a risk assessment to develop security requirements and specifications.
    2. The process of evaluating threats and vulnerabilities, known and postulated, to determine expected loss and establish the degree of acceptability to system operations.
    3. An identification of a specific ADP facility's assets, the threats to these assets, and the ADP facility's vulnerability to those threats.
    4. An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. The purpose of a risk assessment is to determine if countermeasures are adequate to reduce the probability of loss or the impact of loss to an acceptable level.
    5. A management tool which provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risks and documenting management decisions. Decisions for implementing additional protection features are normally based on the existence of a reasonable ratio between cost/benefit of the safeguard and sensitivity/value of the assets to be protected. Risk assessments may vary from an informal review of a small scale microcomputer installation to a more formal and fully documented analysis (i. e., risk analysis) of a large scale computer installation. Risk assessment methodologies may vary from qualitative or quantitative approaches to any combination of these two approaches.

    ISO 27005 framework

    Risk assessment receives as input the output of the previous step Context establishment; the output is the list of assessed risks prioritized according to risk evaluation criteria.
    The process can divided in the following steps:
    • Risk analysis
      Risk analysis (engineering)
      Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...

      , further divided in:
      • Risk identification
      • Risk estimation
    • Risk evaluation

    The following table compare these ISO 27005 processes with Risk IT
    Risk IT
    Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

     framework processes:
    Risk assessment constituent processes
    ISO 27005 Risk IT
    Risk analysis
    • RE2 Analyse risk comprises more than what is described by the ISO 27005 process step. RE2 has as its objective developing useful information to support risk decisions that take into account the business relevance of risk factors.
    • RE1 Collect data serves as input to the analysis of risk (e.g., identifying risk factors, collecting data on the external environment).
    Risk identification This process is included in RE2.2 Estimate IT risk. The identification of risk comprises the following elements:
  • Risk scenarios
  • Risk factors
  • Risk estimation RE2.2 Estimate IT risk
    Risk evaluation RE2.2 Estimate IT risk

    The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment:
    • security policy
      Security policy
      Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...

      ,
    • organization
      Organization
      An organization is a social group which distributes tasks for a collective goal. The word itself is derived from the Greek word organon, itself derived from the better-known word ergon - as we know `organ` - and it means a compartment for a particular job.There are a variety of legal types of...

       of information security,
    • asset management,
    • human resources
      Human resources
      Human resources is a term used to describe the individuals who make up the workforce of an organization, although it is also applied in labor economics to, for example, business sectors or even whole nations...

       security,
    • physical
      Physical security
      Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...

       and environmental security
      Environmental security
      Environmental security examines the threat posed by environmental events and trends to national power, as well as the impact of human conflict and international relations on the environment....

      ,
    • communications and operations management,
    • access control
      Access control
      Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...

      ,
    • information systems acquisition, development and maintenance, (see Systems Development Life Cycle
      Systems Development Life Cycle
      The systems development life cycle , or software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.In software engineering...

      )
    • information security incident management
      Incident management
      Incident Management refers to the activities of an organization to identify, analyze and correct hazards. For instance, a fire in a factory would be a risk that realized, or an incident that happened...

      ,
    • business continuity
      Business continuity
      Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management,...

       management, and
    • regulatory compliance
      Regulatory compliance
      In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...

      .

    Risk identification

    Risk identification states what could cause a potential loss; the following are to be identified:
    • assets, primary (i.e. Business processes and related information) and supporting (i.e. hardware, software, personnel, site, organization structure)
    • threat
      Threat (computer)
      In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

      s
    • existing and planned security measures
      Countermeasure (computer)
      In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

    • vulnerabilities
      Vulnerability (computing)
      In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

    • consequences
    • related business processes

    The output of sub process is made up of:
    • list of asset and related business processes to be risk managed with associated list of threats, existing and planned security measures
    • list of vulnerabilities unrelated to any identified threats
    • list of incident scenarios with their consequences.

    Risk estimation

    There are two methods of risk assessment in information security field, qualitative and quantitative.

    Purely quantitative risk assessment is a mathematical calculation based on security metrics on the asset (system or application).
    For each risk scenario, taking into consideration the different risk factors
    Risk factor (computing)
    In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...

     a Single loss expectancy
    Single loss expectancy
    Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset.It is mathematically expressed as:...

     (SLE) is determined. Then, considering the probability of occurrence on a given period basis, for example the annual rate of occurrence (ARO), the Annualized Loss Expectancy
    Annualized Loss Expectancy
    The annualized loss expectancy is the product of the annual rate of occurrence and the single loss expectancy. It is mathematically expressed as:...

     is determined as the product of ARO X SLE.
    It is important to point out that the values of assets to be considered are those of all involved assets, not only the value of the directly affected resource.

    For example, if you consider the risk scenario of a Laptop theft
    Laptop theft
    Laptop theft is a significant threat to users of laptop computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks, and visual deterrents such as stickers or labels. Victims of laptop theft can lose hardware, software, and essential data...

     threat, you should consider the value of the data (a related asset) contained in the computer and the reputation and liability of the company (other assets) deriving from the lost of availability and confidentiality of the data that could be involved.
    It is easy to understand that intangible asset
    Intangible asset
    Intangible assets are defined as identifiable non-monetary assets that cannot be seen, touched or physically measured, which are created through time and/or effort and that are identifiable as a separate asset...

    s (data, reputation, liability) can be worth much more than physical resources at risk (the laptop hardware in the example).
    Intangible asset value can be huge, but is not easy to evaluate: this can be a consideration against a pure quantitative approach.

    Qualitative risk assessment (three to five steps evaluation, from Very High to Low) is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required. Qualitative risk assessment can be performed in a shorter period of time and with less data. Qualitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed. Qualitative risk assessments are descriptive versus measurable.
    Usually a qualitative classification is done followed by a quantitative evaluation of the highest risks to be compared to the costs of security measures.

    Risk estimation has as input the output of risk analysis and can be split in the following steps:
    • assessment of the consequences through the valuation of assets
    • assessment of the likelihood of the incident (through threat and vulnerability valuation)
    • assign values to the likelihood and consequence of the risks

    The output is the list of risks with value levels assigned. It can be documented in a risk register
    Risk register
    A Risk Register is a Risk Management tool commonly used in Project Management and organisational risk assessments. It acts as a central repository for all risks identified by the project or organisation and, for each risk, includes information such as risk probability, impact, counter-measures,...



    During risk estimation there are generally three values of a given asset, one for the loss of one of the CIA properties: Confidentiality, Integrity, Availability.

    Risk evaluation

    The risk evaluation process receives as input the output of risk analysis process. It compares each risk level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.

    NIST SP 800 30 framework

    To determine the likelihood of a future adverse event, threat
    Threat (computer)
    In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

    s to an IT system must be in conjunction with the potential vulnerabilities
    Vulnerability (computing)
    In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

     and the controls
    Security controls
    Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

     in place for the IT system.

    Impact refers to the magnitude of harm that could be caused by a threat’s exercise of vulnerability. The level of impact is governed by the potential mission impacts and produces a relative value for the IT assets and resources affected (e.g., the criticality sensitivity of the IT system components and data). The risk assessment
    Risk assessment
    Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

     methodology encompasses nine primary steps:
    • Step 1 System Characterization
    • Step 2 Threat Identification
    • Step 3 Vulnerability Identification
    • Step 4 Control Analysis
    • Step 5 Likelihood Determination
    • Step 6 Impact Analysis
    • Step 7 Risk Determination
    • Step 8 Control Recommendations
    • Step 9 Results Documentation

    Risk mitigation

    Risk mitigation, the second process according to SP 800-30, the third according to ISO 27005 of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
    Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of senior management and functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.

    ISO 27005 framework

    The risk treatment process aim at selecting security measures to:
    • reduce
    • retain
    • avoid
    • transfer

    risk and produce a risk treatment plan, that is the output of the process with the residual risks subject to the acceptance of management.

    There are some list to select appropriate security measures, but is up to the single organization to choose the most appropriate one according to its business strategy, constraints of the environment and circumstances. The choice should be rational and documented. The importance of accepting a risk that is too costly to reduce is very high and led to the fact that risk acceptance is considered a separate process.

    Risk transfer apply were the risk has a very high impact but is not easy to reduce significantly the likelihood by means of security controls: the insurance
    Insurance
    In law and economics, insurance is a form of risk management primarily used to hedge against the risk of a contingent, uncertain loss. Insurance is defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for payment. An insurer is a company selling the...

     premium should be compared against the mitigation costs, eventually evaluating some mixed strategy to partially treat the risk. Another option is to outsource the risk to somebody more efficient to manage the risk.

    Risk avoidance describe any action where ways of conducting business are changed to avoid any risk occurrence. For example, the choice of not storing sensitive information about customers can be an avoidance for the risk that customer data can be stolen.

    The residual risks, i.e. the risk reaming after risk treatment decision have been taken, should be estimated to ensure that sufficient protection is achieved. If the residual risk is unacceptable, the risk treatment process should be iterated.

    NIST SP 800 30 framework

    Risk mitigation is a systematic methodology used by senior management to reduce mission risk.

    Risk mitigation can be achieved through any of the following risk mitigation options:
    • Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
    • Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
    • Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls)
    • Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes,implements, and maintains controls
    • Research and Acknowledgement. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
    • Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

    Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities: this is the suggestion contained in

    Risk communication

    Risk communication is a horizontal process that interacts bidirectionally with all other processes of risk management. Its purpose is to establish a common understanding of all aspect of risk among all the organization's stakeholder. Establishing a common understanding is important, since it influences decisions to be taken.

    Risk monitoring and review

    Risk management is an ongoing, never ending process. Within this process implemented security measures are regularly monitored and reviewed to ensure that they work as planned and that changes in the environment rendered them ineffective. Business requirements, vulnerabilities and threats can change over the time.

    Regular audits should be scheduled and should be conducted by an independent party, i.e. somebody not under the control of whom is responsible for the implementations or daily management of ISMS.

    IT evaluation and assessment

    Security controls should be validated. Technical controls are possible complex systems that are to tested and verified. The hardest part to validate is people knowledge of procedural controls and the effectiveness of the real application in daily business of the security procedures.

    Vulnerability assessment
    Vulnerability assessment
    A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply...

    , both internal and external, and Penetration test
    Penetration test
    A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

     are instruments for verifying the status of security controls.

    Information technology security audit is an organizational and procedural control with the aim of evaluating security.
    The IT systems of most organization are evolving quite rapidly. Risk management should cope with this changes through change authorization after risk re evaluation of the affected systems and processes and periodically review the risks and mitigation actions.

    Monitoring system events according to a security monitoring strategy, an incident response plan and security validation and metrics are fundamental activities to assure that an optimal level of security is obtained.

    It is important to monitor the new vulnerabilities, apply procedural and technical security controls like regularly updating software
    Patch (computing)
    A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...

    , and evaluate other kinds of controls to deal with zero-day attacks.

    The attitude of involved people to benchmark
    Benchmark
    -Geology:*Benchmark , a point of reference for a measurement**Benchmarking , an activity involving finding benchmarks*Benchmark , used in pricing crude oil-Technology:...

     against best practice
    Best practice
    A best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark...

     and follow the seminars of professional associations in the sector are factors to assure the state of art of an organization IT risk management practice.

    Integrating risk management into system development life cycle

    Effective risk management must be totally integrated into the SDLC
    Systems Development Life Cycle
    The systems development life cycle , or software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.In software engineering...

    . An IT system’s SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. The risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk management is an iterative process that can be performed during each major phase of the SDLC.
    align="center" |Table 2-1 Integration of Risk Management into the SDLC
    SDLC PhasesPhase CharacteristicsSupport from Risk Management Activities
    Phase 1: Initiation The need for an IT system is expressed and the purpose and scope of the IT system is documented Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
    Phase 2: Development or Acquisition The IT system is designed, purchased, programmed, developed, or otherwise constructed The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
    Phase 3: Implementation The system security features should be configured, enabled, tested, and verified The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
    Phase 4: Operation or Maintenance The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
    Phase 5: Disposal This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner

    NIST SP 800-64 is devoted to this topic.

    Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs, through:
    • Early identification and mitigation of security vulnerabilities and misconfigurations, resulting in lower cost of security control implementation and vulnerability mitigation;
    • Awareness of potential engineering challenges caused by mandatory security controls;
    • Identification of shared security services
      Security service (telecommunication)
      Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....

       and reuse of security strategies and tools to reduce development cost and schedule while improving security posture through proven methods and techniques; and
    • Facilitation of informed executive decision making through comprehensive risk management in a timely manner.

    This guide focuses on the information security components of the SDLC. First, descriptions of the key security roles and responsibilities that are needed in most information system developments are provided. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC.
    The document integrates the security steps into the linear, sequential (a.k.a. waterfall) SDLC. The five-step SDLC cited in the document is an example of one method of development and is not intended to mandate this methodology.
    Lastly, SP 800-64 provides insight into IT projects and initiatives that are not as clearly defined as SDLC-based developments, such as service-oriented architectures, cross-organization projects, and IT facility developments.

    Security can be incorporated into information systems acquisition, development and maintenance by implementing effective security practices in the following areas.
    • Security requirements for information systems
    • Correct processing in applications
    • Cryptographic controls
    • Security of system files
    • Security in development and support processes
    • Technical vulnerability management
      Vulnerability management
      "Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...



    Information systems security begins with incorporating security into the requirements process for any new application or system enhancement. Security should be designed into the system from the beginning. Security requirements are presented to the vendor during the requirements phase of a product purchase. Formal testing should be done to determine whether the product meets the required security specifications prior to purchasing the product.

    Correct processing in applications is essential in order to prevent errors and to mitigate loss, unauthorized modification or misuse of information. Effective coding techniques include validating input and output data, protecting message integrity using encryption, checking for processing errors, and creating activity logs.

    Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest. Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.

    System files used by applications must be protected in order to ensure the integrity and stability of the application. Using source code repositories with version control, extensive testing, production back-off plans, and appropriate access to program code are some effective measures that can be used to protect an application's files.

    Security in development and support processes is an essential part of a comprehensive quality assurance and production control process, and would usually involve training and continuous oversight by the most experienced staff.

    Applications need to be monitored and patched for technical vulnerabilities. Procedures for applying patches should include evaluating the patches to determine their appropriateness, and whether or not they can be successfully removed in case of a negative impact.

    Critique of risk management as a methodology

    Risk management as a scientific methodology has been criticized as being shallow. Major programs that implies risk management applied to IT systems of large organizations as FISMA has been criticized.

    The risk management methodology is based on scientific foundations of statistical decision making: indeed, by avoiding the complexity that accompanies the formal probabilistic model of risks and uncertainty, risk management looks more like a process that attempts to guess rather than formally predict the future on the basis of statistical evidence. It is highly subjective in assessing the value of assets, the likelihood of threats occurrence and the significance of the impact.

    Having considered this criticisms the risk management is a very important instrument in designing, implementing and operating secure information systems because it systematically classifies and drives the process of deciding how to treat risks. Its usage is foreseen by legislative rules in many countries. A better way to deal with the subject it is not emerged.

    Risk managements methods

    It is quite hard to list most of the methods that at least partially support the IT risk management process. Efforts in this direction were done by:
    • NIST Description of Automated Risk Management Packages That NIST/NCSC Risk Management Research Laboratory Has Examined, updated 1991
    • ENISA in 2006; a list of methods and tools is available on line with a comparison engine. Among them the most widely used are:
      • CRAMM
        CRAMM
        - History :CRAMM was created in 1987 by the Central Computing and Telecommunications Agency of the United Kingdom government. CRAMM is currently on its fifth version, CRAMM Version 5.0. It comprises three stages, each supported by objective questionnaires and guidelines. The first two stages...

         Developed by British government is compliant to ISO/IEC 17799, Gramm–Leach–Bliley Act (GLBA) and Health Insurance Portability and Accountability Act
        Health Insurance Portability and Accountability Act
        The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...

         (HIPAA)
      • EBIOS
        EBIOS
        EBIOS allows evaluation and action on risks relative to information systems security, and proposes a security policy adapted to the needs of an organization...

         developed by the French government it is compliant with major security standards: ISO/IEC 27001
        ISO/IEC 27001
        ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...

        , ISO/IEC 13335, ISO/IEC 15408, ISO/IEC 17799 and ISO/IEC 21287
      • Standard of Good Practice
        Standard of Good Practice
        The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....

         developed by Information Security Forum
        Information Security Forum
        The Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...

         (ISF)
      • Mehari
        Mehari
        MEHARI is a method for risk analysis and risk management developed and distributed by .- History :...

         developed by Clusif Club de la Sécurité de l'Information Français
      • Octave developed by Carnegie Mellon University, SEI (Software Engineering Institute
        Software Engineering Institute
        The Carnegie Mellon Software Engineering Institute is a federally funded research and development center headquartered on the campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, United States. SEI also has offices in Arlington, Virginia, and Frankfurt, Germany. The SEI operates...

        ) The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) approach defines a risk-based strategic assessment and planning technique for security.
      • IT-Grundschutz
        IT Baseline Protection Catalogs
        The IT Baseline Protection Catalogs, or IT-Grundschutz-Kataloge, are a collection of documents from the German Federal Office for Security in Information Technology that provide useful information for detecting weaknesses and combating attacks in the information technology environment...

         (IT Baseline Protection Manual) developed by Federal Office for Information Security (BSI) (Germany); IT-Grundschutz provides a method for an organization to establish an Information Security Management System (ISMS). It comprises both generic IT security recommendations for establishing an applicable IT security process and detailed technical recommendations to achieve the necessary IT security level for a specific domain

    Enisa report classified the different methods regarding completeness, free availability, tool support; the result is that:
    • EBIOS, ISF methods, IT-Grundschutz cover deeply all the aspects (Risk Identification, Risk analysis, Risk evaluation, Risk assessment, Risk treatment, Risk acceptance, Risk communication),
    • EBIOS and IT-Grundschutz are the only ones freely available and
    • only EBIOS has an open source tool to support it.


    The Factor Analysis of Information Risk
    Factor Analysis of Information Risk
    Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...

     (FAIR) main document, "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
    outline that most of the methods above lack of rigorous definition of risk and its factors. FAIR is not another methodology to deal with risk management, but it complements existing methodologies.

    FAIR has had a good acceptance, mainly by The Open Group
    The Open Group
    The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...

     and ISACA.

    ISACA developed a methodology, called Risk IT
    Risk IT
    Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

    , to address various kind of IT related risks, chiefly security related risks. It is integrated with COBIT
    COBIT
    COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...

    , a general framework to manage IT.
    Risk IT has a broader concept of IT risk
    IT risk
    Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

     than other methodologies, it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.

    The "Build Security In" initiative of Homeland Security Department of USA, cites FAIR.
    The initiative Build Security In is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. So it chiefly address Secure coding
    Secure Coding
    History has proven that software defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively...

    .

    Standards

    There are a number of standards about IT risk
    IT risk
    Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

     and IT risk management. For a description see the main article.

    See also

    • Access control
      Access control
      Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...

    • Asset (computing)
    • Asset management
    • Assessment
      Assessment
      Educational assessment is the process of documenting, usually in measurable terms, knowledge, skills, attitudes and beliefs. Assessment can focus on the individual learner, the learning community , the institution, or the educational system as a whole...

    • Attack (computer)
      Attack (computer)
      In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...

    • Availability
      Availability
      In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...

    • Benchmark
      Benchmark
      -Geology:*Benchmark , a point of reference for a measurement**Benchmarking , an activity involving finding benchmarks*Benchmark , used in pricing crude oil-Technology:...

    • Best practice
      Best practice
      A best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark...

    • Business continuity
      Business continuity
      Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management,...

    • Business continuity plan
    • Business process
      Business process
      A business process or business method is a collection of related, structured activities or tasks that produce a specific service or product for a particular customer or customers...

    • Certified Information Systems Auditor
    • Chief information officer
      Chief information officer
      Chief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...

    • Chief information security officer
      Chief information security officer
      A chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected...

    • COBIT
      COBIT
      COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...

    • Common Vulnerabilities and Exposures
      Common Vulnerabilities and Exposures
      The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...

       (CVE)
    • Communications
    • Computer insecurity
      Computer insecurity
      Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...

    • Computer security
      Computer security
      Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...


    • * Confidentiality
      Confidentiality
      Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...

    • COSO
    • Countermeasure (computer)
      Countermeasure (computer)
      In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

    • CRAMM
      CRAMM
      - History :CRAMM was created in 1987 by the Central Computing and Telecommunications Agency of the United Kingdom government. CRAMM is currently on its fifth version, CRAMM Version 5.0. It comprises three stages, each supported by objective questionnaires and guidelines. The first two stages...

    • Common Vulnerability Scoring System
      CVSS
      Common Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...

       (CVSS)
    • Decision theory
      Decision theory
      Decision theory in economics, psychology, philosophy, mathematics, and statistics is concerned with identifying the values, uncertainties and other issues relevant in a given decision, its rationality, and the resulting optimal decision...

    • EBIOS
      EBIOS
      EBIOS allows evaluation and action on risks relative to information systems security, and proposes a security policy adapted to the needs of an organization...

    • ENISA
    • Enterprise risk management
      Enterprise Risk Management
      Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...

    • Environmental security
      Environmental security
      Environmental security examines the threat posed by environmental events and trends to national power, as well as the impact of human conflict and international relations on the environment....

    • Evaluation
      Evaluation
      Evaluation is systematic determination of merit, worth, and significance of something or someone using criteria against a set of standards.Evaluation often is used to characterize and appraise subjects of interest in a wide range of human enterprises, including the arts, criminal justice,...

    • Exploit (computer security)
      Exploit (computer security)
      An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...

    • Factor Analysis of Information Risk
      Factor Analysis of Information Risk
      Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...

    • FISMA
    • Full disclosure
      Full disclosure
      In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...

    • Gramm–Leach–Bliley Act
    • Health Insurance Portability and Accountability Act
      Health Insurance Portability and Accountability Act
      The Health Insurance Portability and Accountability Act of 1996 was enacted by the U.S. Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy and Sen. Nancy Kassebaum . Title I of HIPAA protects health insurance coverage for workers and their...

    • Homeland Security Department
    • Human resources
      Human resources
      Human resources is a term used to describe the individuals who make up the workforce of an organization, although it is also applied in labor economics to, for example, business sectors or even whole nations...

    • Incident management
      Incident management
      Incident Management refers to the activities of an organization to identify, analyze and correct hazards. For instance, a fire in a factory would be a risk that realized, or an incident that happened...

    • Information security
      Information security
      Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

    • Information Security Forum
      Information Security Forum
      The Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...

    • Information security management
      Information Security Management
      Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage...

    • Information technology
      Information technology
      Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...

    • Information technology security audit
    • Insurance
      Insurance
      In law and economics, insurance is a form of risk management primarily used to hedge against the risk of a contingent, uncertain loss. Insurance is defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for payment. An insurer is a company selling the...

    • Integrity
      Integrity
      Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...

    • ISACA

    • Information security management system
      Information security management system
      An information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....

       (ISMS)
    • Information technology
      Information technology
      Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...

    • ISO
    • ISO/IEC 15408
    • ISO/IEC 17799
    • ISO/IEC 27000-series
      ISO/IEC 27000-series
      The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission .The series provides best practice recommendations on information security management, risks and controls...

    • ISO/IEC 27001
      ISO/IEC 27001
      ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...

    • ISO/IEC 27005
      ISO/IEC 27005
      ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...

    • IT-Grundschutz
      IT Baseline Protection Catalogs
      The IT Baseline Protection Catalogs, or IT-Grundschutz-Kataloge, are a collection of documents from the German Federal Office for Security in Information Technology that provide useful information for detecting weaknesses and combating attacks in the information technology environment...

    • IT risk
      IT risk
      Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

    • National Information Assurance Training and Education Center
      National Information Assurance Training and Education Center
      The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...

    • National Security
      National security
      National security is the requirement to maintain the survival of the state through the use of economic, diplomacy, power projection and political power. The concept developed mostly in the United States of America after World War II...

    • NIST
    • Mehari
      Mehari
      MEHARI is a method for risk analysis and risk management developed and distributed by .- History :...

    • Methodology
      Methodology
      Methodology is generally a guideline for solving a problem, with specificcomponents such as phases, tasks, methods, techniques and tools . It can be defined also as follows:...

    • Organization
      Organization
      An organization is a social group which distributes tasks for a collective goal. The word itself is derived from the Greek word organon, itself derived from the better-known word ergon - as we know `organ` - and it means a compartment for a particular job.There are a variety of legal types of...

    • OWASP
      OWASP
      The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...

    • Patch (computing)
      Patch (computing)
      A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...

    • Penetration test
      Penetration test
      A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

    • Physical security
      Physical security
      Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...

    • Privacy
      Privacy
      Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

    • Regulatory compliance
      Regulatory compliance
      In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...

    • Risk
      Risk
      Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

    • Risk analysis (engineering)
      Risk analysis (engineering)
      Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...

    • Risk appetite
      Risk appetite
      Risk Appetite is a method to help guide an organisation’s approach to risk and risk management.-Definition:The level of risk that an organisation is prepared to accept, before action is deemed necessary to reduce it...

    • Risk assessment
      Risk assessment
      Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

    • Risk factor (computing)
      Risk factor (computing)
      In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...

    • Risk management
      Risk management
      Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

    • Risk IT
      Risk IT
      Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

    • Risk register
      Risk register
      A Risk Register is a Risk Management tool commonly used in Project Management and organisational risk assessments. It acts as a central repository for all risks identified by the project or organisation and, for each risk, includes information such as risk probability, impact, counter-measures,...

    • Secure coding
      Secure Coding
      History has proven that software defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively...

    • Security control
      Security controls
      Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

    • Security policy
      Security policy
      Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...

    • Security risk
      Security risk
      Security Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...

    • Security service (telecommunication)
      Security service (telecommunication)
      Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....

    • Standard of Good Practice
      Standard of Good Practice
      The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....

    • Stakeholder (corporate)
    • Systems Development Life Cycle
      Systems Development Life Cycle
      The systems development life cycle , or software development life cycle in systems engineering, information systems and software engineering, is a process of creating or altering information systems, and the models and methodologies that people use to develop these systems.In software engineering...

    • The Open Group
      The Open Group
      The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...

    • Threat
      Threat (computer)
      In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

    • Vulnerability
      Vulnerability (computing)
      In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

    • Vulnerability assessment
      Vulnerability assessment
      A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply...

    • Vulnerability management
      Vulnerability management
      "Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...

    • w3af
      W3af
      w3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications...

    • zero-day attack


    External links

    The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
     
    x
    OK