Search in ISMS Guides


Thursday, August 2, 2007

Step 2: Analyze risk

by Change Tech Solutions Inc. | Oct 8, 2003

Every effective security management system reflects a careful evaluation of how much security is needed. Too little security means the system can easily be compromised intentionally or unintentionally. Too much security can make the system hard to use or degrade its performance unacceptably. Security is inversely proportional to utility—if you want the system to be 100 percent secure, don't let anybody use it. There will always be risks to systems, but often these risks are accepted if they make the system more powerful or easier to use.

Acceptance of risk is central to good security management. You'll never have enough resources to secure assets 100 percent; in fact, this is virtually impossible even with unlimited resources. Therefore, identify all risks to the system, then choose which risks to accept and which to address via security measures. Here are a few reasons some risks are acceptable:
  • The threat is minimal.
  • The possibility of compromise is unlikely.
  • The value of the asset is low.
  • The cost to secure the asset is greater than the value of the asset.
  • The threat will soon go away.
  • Security violations can easily be detected and immediately corrected.

After you've identified the risks, the next step is to determine the effect to the business if the asset is lost or compromised. By doing this, you get a good idea of how many resources should be assigned to protecting the asset. One user workstation almost certainly deserves fewer resources than the company's servers.

The risks you choose to accept should be documented and signed by all parties, not only to protect the IT organization, but also to make everybody aware that unsecured company assets do exist.

Back To Implement Security Management With These Six Steps

No comments: