Information Security Program

Decent Essays
1. Information Security Program is the overall effort of the organization, which includes all projects and activities, in relation to the improvement of the information security. It can be viewed as the set of controls that an organization needs to govern. In order for program to be successful, it needs to be have a continuous lifecycle, which means that it never ends. This program has four phases, and they are: Assess, Mitigate, Validate, Sustain.
Phase one: Assess. Vulnerabilities assessment. Take a look at the network, systems, data, and processes and understand where are some weaknesses that need to be addressed. In this phase organization needs to identify the assets (Physical and logical assets, data center, desktops, network devices,
…show more content…
Risk management is the process of identifying the risk, represented in vulnerabilities and threats, to an organization’s information assets, and taking necessary steps in order to reduce the risk to an acceptable level. Risk is the possibility that something bad will happen to the organization’s information asset. To be more specific, risk is the likelihood of the vulnerability to be exploited multiplied by the value of the asset, after security controls were applied to mitigate it. Vulnerability is the weakness that allows exploitation in order to harm organization’s information asset. Threat is anything with potential to harm the organization’s information asset. One of the critical success factors to an information security program is having an Information Risk Management Policy. IRM policy is a map of business objectives to security, management’s support, security goals, and …show more content…
Identifying assets for review is done by the managers of the environment under review. They will also work wit the security project manager. Asset identification and values related to it is the crucial to the business. In this part assets need to be identified especially one critical for the business operations. Assets can be physical or logical like datacenters, desktops, remote systems, network devices, systems that process, manage, and store personal information. This is done by documentation review, interviews with business managers, and technical experts. Evaluate importance of the assets – After assets are identified, certain value needs to be assign to them in terms of how much business impact those assets have. After the value is determined, data needs to be classified by importance, which would further impact risk reduction plan. Further Vulnerabilities need to be identified. This is done by vulnerability scanners, penetration testing, and checklists. After vulnerabilities are identified, we should proceed and identify threats that can harm or affect critical operations and assets. The next step is to develop a Risk Profile which lets us analyze and rank risks according to their impact to the environment. Lastly, risk reduction plan needs to be developed. Here we need to evaluate existing

Related Documents

  • Decent Essays

    As there might be a large number of vulnerabilities and associated threats that could disturb the assets, it is also important to be properly categorize them. The main objective is to find out which vulnerabilities and threats might cause the maximum damage so that the critical items can be taken care on the priority basis. Measuring the possibility and impact of the potential threats on the business To evaluate possible losses caused by threats, the following questions need to be…

    • 1790 Words
    • 8 Pages
    Decent Essays
  • Decent Essays

    There are many different ways you can identify your risks. You can start by brainstorming with personnel and work on identifying which of your assets are at risk. Take for example the difference of a server to a workstation is terms of security. A server is more likely to contain more sensitive information on it than your typical workstation, so even though the workstations need to be secured, a stolen or compromised server would cause more damage and therefore needs to be placed hire on the risk chart. After you have identified your risks, you can then begin to develop a policy that will help to reduce or eliminate the risks.…

    • 1045 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    Risk Management Plan

    • 1084 Words
    • 4 Pages

    External risk: For example: external agencies such as FDA, HIPPA, CMS can make new regulations which can have impact on project. A risk breakdown structure is created based on this. It is a hierarchy of potential risk categories of the project. It helps in brainstorming and helps to identify risks. Identify risks: To understand what potential events might hurt or enhance a particular project.…

    • 1084 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    The next step is to arrange the risks in a systematic manner in order to prioritize them. This involves ranking the risks according to the potential harm they may have on the project. Here one should consider the manner in which the risk is likely to affect or rather impact the budget, time period of project and scope of the project. The nest step after that is calculation of the risks basing on the impact, probability and degree of controllability. Putting a risk management plan follows after one has done all the above.…

    • 1400 Words
    • 6 Pages
    Decent Essays
  • Decent Essays

    Then the Application Service needs to be determined for exampling what type of MEAP application is being used. This could be for example financial, managerial, customer, etc… type of applications. Each one of these applications handles certain type of business processes in order to complete the request. After the Application Service is selected, it passes the information to the Domain Server. Basically it determines what data entities stores the needed information within the system.…

    • 1025 Words
    • 5 Pages
    Decent Essays
  • Decent Essays

    Risk Assessment Answers

    • 708 Words
    • 3 Pages

    Answer 1 Risk assessments is a process where you distinguish risks. Investigate or assess the risk connected with that danger. Decide fitting approaches to dispose of or control the risk. In layman terms, a risk assessment is an in-depth look at your work environment to recognize those things, circumstances, forms, and so forth that may cause any particular harm, especially to individuals. After recognizable proof is made, you assess how likely and serious the risk is, and after that choose what measures ought to be set up to adequately keep or control the problem from happening.…

    • 708 Words
    • 3 Pages
    Decent Essays
  • Decent Essays

    The whole process of business perspectives, practical business continuity and disaster recovery planning perspectives, and the IT-centric perspectives risk management needs to be comprehended to understand the concept and practical application of risk management. Creating a business continuity plan unique to your business is important to your company’s success. Every organization will handle threats and risks different with taking location, industry, organizational culture, departments, company structure, departments, work units, management approach and strategic objectives into perspective. Each step in the process of basic risk management is important. The four basic steps of risk management are threat assessment, vulnerability assessment,…

    • 940 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    For an organization to successfully enforce its security program, it must take risk analysis and risk management into consideration. A risk analysis will identify potential threats and vulnerabilities of the systems and any existing related risks. Applying threat modeling to analyze the security of an application by identifying, quantifying, rating, and addressing the threats is crucial for the organization to prevent and mitigate any threats. Since risk is calculated by multiplying the threat by the vulnerability, the higher the threat, the higher the risk an organization may have to suffer. If the threat is zero, the risk is zero.…

    • 1541 Words
    • 7 Pages
    Decent Essays
  • Decent Essays

    (see Figure 4). Furthermore, organizations should contemplate contingency strategies to provide the replacement of equipment, cost considerations, and the roles and responsibilities. Figure 4. Sample Alternate Site Criteria (Swanson et al., 2010) Develop an information system contingency plan. The information system contingency plan comprises the methods that an organization should adhere to during a disruption of its information systems.…

    • 1535 Words
    • 7 Pages
    Decent Essays
  • Decent Essays

    a. The planning step of the ERP implementation process requires: Needs assessment and Business justification Within the planning step of implementing the ERP system, it requires a needs assessment and business justification prior to implementation. The needs assessment provides business justification for the purchase of the software. The needs assessment phase is important because of the major investment in an ERP system and the impact it has on an organization. The business justification of the planning step of the implementation of an ERP system includes tangible and intangible benefits.…

    • 720 Words
    • 3 Pages
    Decent Essays