Pages

Sabtu, 04 April 2015

The prioritization of IT risk

1. How important is the asset (i.e. how much does the car cost)?

2. How vulnerable is the asset to a negative event (i.e. if I rear end the car in front of me, how well will the car survive the crash)?

3. How likely is it that someone would try to exploit the vulnerabilities (i.e. how good are my driving skills in fog)?

4. What controls do we have in place to protect the asset from these vulnerabilities (i.e. do I have fog lights)?

5. If the controls do not provide sufficient protection, what additional controls can we employee to reduce the risk to an acceptable level (if I still can't see well enough with the fog lights on, what else can I do to avoid an accident)?

Historically, information security officers, disaster recovery coordinators and others who needed to make operational risk decisions in the workplace found the answers to these types of questions by referring to prior experience and subjective reasoning. If you worked long enough in information security, you would get a good "feel" for the risks and exposures and your experience would guide your decisions. But try telling the CEO that you want funding for an expensive project that will improve controls and the justification for the request is based on your "gut feeling" and prior experience. No wonder many senior executives view information security as over blown and inscrutable. Until information security can develop tools to objectively identify and measure risk, we will have little credibility with management in explaining the risk options.

Source: http://get.syr.edu

Related Posts:

  • The prioritization of IT risk1. How important is the asset (i.e. how much does the car cost)? 2. How vulnerable is the asset to a negative event (i.e. if I rear end the car in front of me, how well will the car survive the crash)? 3. How likely is it … Read More
  • Explain IT RisksIT risk management is the application of the principles of risk management to an Information Technology organization in order to manage the risks associated with the field also aims to manage the risks that come with the owne… Read More

0 komentar:

Posting Komentar