Assessing security risks
This security category's objective is toidentify, quantify and prioritize risks against criteria for risk assessment and objectives relevant to the organization.
Security risk assessment • Risk assessments should be performed, and updated at appropriate intervals, for all information systems. Control includes:
- systematic methods of assessing risks (threats and vulnerabilities);
- systematic methods of comparing assessed risks against risk criteria;
- periodic re-assessments to address changes in security requirements and/or in the risk environment; and
- clearly defined scope, including specification of the system(s) assessed, the means of assessment employed, and relationships with other risk assessments if appropriate.
Treating security risksAuthorities: ISO-27002:2005 4.1.; HIPAA 164.308(a)(1)(ii)(A); PCI-DSS:2005 12.1.2.
This category aims to appropriately mitigate risk in light of organizational objectives and risk criteria.
Security risk treatment • Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate administrative, technical and physical controls. Control includes:
- applying appropriate controls to avoid, eliminate or reduce risks;
- transferring some risks to third parties as appropriate (e.g., by insurance);
- knowingly and objectively accepting some risks; and
- documenting the risk treatment choices made, and the reasons for them.
Risk treatments should take account of:
- legal-regulatory and private certificatory requirements;
- organizational objectives, operational requirements and constraints; and
- costs of implementation and operation relative to risks being reduced.
Authorities: ISO-27002:2005 4.2.; HIPAA 164.308(a)(1)(ii)(B); PCI-DSS:2005 12.1.3
Article By http://privacy.med.miami.edu/
No comments:
Post a Comment