Saturday, May 4, 2013

Information security = Organizational risk

Ultimately information security is about risk. What is an organization's risk tolerance to information security breaches? How does an organization know what their tolerance may be without understanding what the outcome of a breach is before it happens?

So what really is risk?...simply put:  Risk = Probability + Severity

Seems simple how does an organization really understand their risk so it can identify, assess and prioritize what needs attention? Answer --> Risk Management

Risk Management:

Risk management has specific process divided into risk identification and assessment and risk control.

Reference for great visuals:
Vlajic, N.. "Security Risk Management."CSE 4482 Computer Security Management: Assessment and Forensics. N.p., n.d. Web. 4 May 2013. http://www.cse.yorku.ca/course_archive/2010-11/F/4482/CSE4482_03_SecurityRiskManagement_Part1.pdf




No comments:

Post a Comment