• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    IT Policy, RISK MANAGEMENT IT Policy, RISK MANAGEMENT Presentation Transcript

    • Prepared for :Professor Dr.Wan Rozaini bt sheik OsmanPrepared by :Ali Raad Abdulkareem (808934)
    •  In each companies, they have some mission to achieves. Presently, the Institutions mostly uses the automated IT system to help them managing their information for support their mission better, managing the risk to protect the organization assets although manage the risk is not an easy task. All of the organization have their uncertainties problem, therefore it is the IT Professional to manage this uncertainty and help them to manage and understand it more. Manage the uncertainty is not easy, some problems may arise such limited resources, ever-changing the landscape of threats and vulnerabilities so it may make impossible managing the risks. (Retains, 2006)
    •  Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. A variety of strategies is available, depending on the type of risk and the type of business. (www.theglobalone.net )
    •  Threat is one of the risks. Based on the National Institute of Standards and Technology Special Publication 800-30; Threat means the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-Source means either intent and method a situation and targeted at the method that may intentional accidentally trigger exploitation of a a vulnerability. vulnerability (Gary, Alice and Alexis, 2002)
    •  The other risk that may occur is the vulnerability. Vulnerability is the flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. (en.wikipedia.org )
    •  Issue can be in positive or negative. Issue in it field is the problem or may become opportunity that can be effect the IT / business works and projects. Issue is related to the risk. If we can handle and deal with the issue, so it means we can reduce / minimize the risk. (Chris Chapmen and Stephen Ward, 2009)
    •  The risk management is the practice of identifying. Assessing, controlling and mitigation risks. Threats and vulnerabilities are key drivers of risk. Identifying the threat and vulnerabilities that are relevant to the organization is an important step. After that can take action to reduce potential losses from these risks. Remember, the risk cannot be deleted / eliminated. But, it can be reduces and handle if we identified, evaluated, controlled and reviewed it correctly. So this can be called as the Risk Management. (Darril Gibson, 2011)
    •  How to assess the risk? The question that may arise before managing risk is How to assess the risk? There are two general process of risk assessment; 1. Qualitative Risk Assess 2. Quantitative Risk Assess (Retains, 2006)
    •  The quantitative risk assessment is related to the mathematical, number, insurance and finance. Quantitative is used by finance company and insurance company upon draw of the methodologies because it is the standard way to measure the risk especially in many fields such as insurance and finance. (Retains, 2006)
    •  The Qualitative Risk Assessment will define the risk as the qualitative or subjective terms. In Quality Risk Assessment, the risk can be categorized in “High, Moderate and Low”. But this will make it more difficult to concisely communicate to management. The difficulties that faced by the qualitative Risk Assessment is defining the likelihood and impact values. This is the same as the quantitative risk assessment. (Retains, 2006)
    •  Risk is common in each project. Every project has risk whether high, medium, and low risk. However note that not all risks can be eliminated completely, most maybe anticipated and managed ahead of time. Managing the Risk StrategiesMitigation Acceptance Avoidance Transference (Retains, 2006)
    •  The most common risk management strategy is Mitigation. This strategy is involved in providing some type of compensatory control in order to reduce the likelihood / impact that associated with the flaw. The process of determine the mitigation can be called control analysis. In other way, the definition of the risk mitigation based on is a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction. www.businessdictionnary.com (Retains, 2006)
    •  This strategy is not widely used in IT field. From the name, it is stated that transference so it means the risk is transfer to the other party. It can conclude that Transference is the process of allowing another party to accept the risk on your behalf. (Retains, 2006)
    •  The Risk Avoidance strategy is used in risk management for describe an informed decision not to become involved in activities that lead to the possibility of the risk being realized in other word it means avoid the risk. In Information system, the avoidance is means practice of removing the vulnerable aspect of the system or even the system itself. (Retains, 2006)
    •  The risk acceptance strategy concept is to accept such a known risk, actually many low risks are may simply accepted and also there is cases that even the extremely high cost risk are also accepted. Once accepted, it means that the organization knows exactly what risks their takes and its consequences. So their need to seriously consider, identify, and leveling the risks. (Retains, 2006)
    • In any project, there are many risks that can be identified.Risks may harm the project and or can be the opportunity tomake the project success. Managing the risk is reallyimportant because Risk may make the project failed if wecannot handle and control it. But before we can manage therisks, we should carefully identify, level, and determine therisks.There are several types that can be risks such as threats,vulnerabilities and issues. There are 2 ways that the risk canbe assessed by using the quantity and / or qualityassessment risk. And there are 4 strategies to manage therisks; mitigation, avoidance, acceptance and alsotransference.
    •  http://www.theglobalone.net/2012/04/featured-article-what-is-risk.html http://en.wikipedia.org/wiki/Vulnerability_%28computing%29Hetamsaria, Nupur.(2005). Why is risk management important?. Retrieved from: http://www.rediff.com/money/2005/dec/27guest.htmImportance of Risk Management. (n.d.). In Method123 Ltd. Retrieved from: http://blog.method123.com/2010/09/08/importance-of-risk-management/Lientz P., Bennet., & Larssen, Lee. (2006). Risk Management for IT Projects: How to deal with over 150 Risks and Issues. UK: Elsevier.incManaging Risk. (2010). In Business Link (UK). Retrieved from: http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1074410125&type=RESOURCESNational Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems (July 2002) – Page 8, 12, 15.Risk Acceptance. In ENISAOnline. Retrieved from: http://www.enisa.europa.eu/act/rm/cr/risk-management-inventory/rm-process/risk-acceptanceSchwalbe, K. (2006). Information technology project management (4th ed.). Thompson Learning