1.What is risk management?

Risk management is identifying and justifying the controls that should be put into place to manage the risks associated with doing business as "normal".

2.What are vulnerabilities?

A Vulnerability is any weakness in the current security system of the organization. To identify vulnerabilities you must start by identifying your assets and then determining how important that asset is and what threatens it. By identifying the threat you are then able to determine what can be done to strengthen the security system against those vulnerabilities. Some vulnerabilities are unrealistic and will not need to be protected against. And other vulnerabilities would cost more to protect against than the asset is worth. Good managers will identify vulnerabilities and do a cost benefit analysis to see what must be done to effectively protect all assets associated with the information system of an organization.

2. What are the facets of risk management?

There are four key areas of risk management:

1) Understand your organization and how it operates: Managers must identify and understand the computers and systems that are in the organization and they must recognize what is important to the company so that they know what must be protected. They must also keep inventory records and know the value of assets. They must also identify the threats posed to those assets and evaluate what steps have already been taken to guard against potential attacks and they must also determine if further steps need to be taken.

2) Identify your enemies and the threats they pose: Doing this identifies all of the posing threats that may occur to your organization. Documentation must be made to prioritize all of the threats and the steps to be taken if an attack occurs. This will include a Business Continuity Plan and a Incident Response Plan.

3) Involve relevant groups within the organization: Any individuals within the organization that interact with the system must be made a part of the design and implementation of security within the organization in order for it to be effective. Information Systems usually controls the actual maintenance and administration of the system, however management will have some say in the controls necessary for maintaining a workable system. It is also important to involve all individuals that will be interacting with the system because each person poses a security risk. Therefore, it is important to educate each user on potential risks and threats that they may pose.

4) Integrate the Security Systems Development Lifecycle into the orgainization: Using the SecSDLC method, a top down approach is implemented and it is possible to identify, analyze, design, and implement a working system that will provide adequate security. It will also help in developing organizational policies that will be both manageable and scaleable. SecSDLC will also make it easier to achieve the other key areas of risk management and organize the risks.

3. Who is held accountable for risk management?

Everyone within an organization can be held accountable to some degree, but the information systems officer or security technicians are directly in control of safeguarding a system and writing and impletmenting policy. This should be a hierarchical model in most organizations and allows for authority of certain areas of the risk management to be delegated to specific individuals who are culpable for anything going wrong in their respective areas. Basically, the Chief Information Officer will delegate authority over certain assets to Division Managers, and those managers will delegate authority within those departments to department managers, and those managers will delegate authority to their individual workers, and so on.

4. What are the plans that an organization should have to prepare for risks?

1) Business continuity plan: This provides a plan of action for a business to continue on schedule after an incident occurs.

2) Disaster recovery plan: This outlines what should be done in the case of a natural disaster.

3) Incident response plan: This determines the necessary steps to be taken by an organization when an incident occurs.

5. What is risk avoidance?

Risk avoidance is taking the necessary precautions to prevent the exploitation of a vulnerability.

6. Is there a formula for equating risk?

Risk = % chance of occurrence * asset value - percentage risk already controlled. This formula is used to estimate the amount of risk possible and is normally based on past occurrences of vulnerabilities in the system, or possibly on other national statistics which may or may not be accurate.

7. What is risk transference?

Risk transference is the security control approach that makes an attempt to delegate the risks to other assets, processes, or organizations.

8. What is risk mitigation?

Risk mitigation is the security approach that makes an effort to decrease the effects of an attack by preparing for it ahead of time. The risk mitigation security approach develops plans that will be used in cases of emergency and incidents. These will aid the business in maintaining their business continuity plan which will keep the business up and running with as little down time as possible.

9. What is risk acceptance?

Risk acceptance is accepting the fact that there are some things that cannot be prepared for, or accepting that the risk is very unlikely. This could be something as small as a lightning strike or as large as a nuclear halocaust.

10. Is security outsourcing good?

Since many organizations do not provide computer system security it is not likely that they will be equipped to handle their own system's security. By transferring the risk to a security professional or a security business they will get expert help and not have to deal with the security problems.