In this video, Kip Boyle explains what risk management means for an information security program. Learn some key ways to manage risk in an effective information security program.
- [Narrator] What is risk management? Risk is a chance of harm or loss. In other words, risk is uncertainty about your future. When you're in business there are many risks. Such as losing a customer. Having your trade secrets become public knowledge. Or being caught up in an economic recession. For this course, we're focused on the risks to our information and our computers. And there are some major risks.
Will we get cyber attacked? Will someone in our organization mishandle or steal sensitive data? How? When? Will it be bad? Will it happen more than once this year? Turns out there's a lot of uncertainty. So what can you do about it? Well you can use risk management to reduce your uncertainty about your future. Which will also increase your chances of achieving your goals. And increasing your chances is another way of saying more opportunity for success.
When used well, risk management techniques can answer questions like "Where are we most vulnerable "to harm with our computers, networks, and sensitive data?" And, "How should we spend our next dollar so we can "get the biggest risk management benefit?" Most risk management systems follow a common process. First, identification of assets, threats, and vulnerabilities. Next, assessment of risks. After that, prioritization of risks.
And then risk treatment. There are four categories of risk treatment options. You can use the acronym ACAT to remember them. First, you can stop or avoid doing the risky thing. Or you can use special procedures or safeguards to control the risk. If the cost of risk reduction exceeds the cost of the asset, then you can accept the risk. Finally, you can transfer the risk by buying insurance.
What's powerful is you can combine any of these options. Risk management can be such a useful practice that some people follow formal risk management guidance from standards or organizations such as ISO 31000 from the International Organization for Standardization. Or NIST Special Publication 800-30. I want to share with you a few words of caution about risk management. I've seen many organizations get so focused on doing risk management the right way, or getting stuck on the idea that all risks they find have to be completely eliminated that they become paralyzed and have trouble actually doing the work.
I've also seen organizations implement risk management methods incorrectly and produce poor or even unusable results. And I've seen people struggle to communicate the results of risk management to their boss and executives, which reduces their credibility. How can you avoid these mistakes? It's important for you to accept the fact that there will always be some risk in the big things that you do at work. Because taking no risk means you don't have enough opportunity to earn profits or make the world a better place.
Keep your risk methods as simple as possible, and still get the job done. Make sure your risk methods are repeatable and easy to explain to your stakeholders. Great information risk management can provide a competitive advantage for your organization. You'll reduce uncertainty about your future, which will create more opportunity for success.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance