This document discusses risk management for information technology systems using the spiral model. It provides an overview of the risk management process, which involves identifying risks, assessing risks, and taking steps to reduce risks to an acceptable level. The risk management process should be integrated into the system development life cycle. Key aspects of the risk management process discussed include identifying and assessing risks, developing risk assessment reports, mitigating risks, and ensuring ongoing evaluation and assessment of IT-related risks. Senior management commitment, user community awareness and cooperation, and evaluation of risks are keys to success for a risk management program.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.
This research work x-rays the indispensability of continuous
risk assessment on data and communication devices, to ensure
that full business uptime is assured and to minimize, if not
completely eradicate downtime caused by “unwanted elements
of the society” ranging from hackers, invaders, network
attackers to cyber terrorists. Considering high-cost of
downtime and its huge business negative impact, it becomes
extremely necessary and critical to proactively monitor,
protect and defend your business and organization by ensuring
prompt and regular Risk assessment of the data and
communication devices which forms the digital walls of the
organization. The work also briefly highlights the
methodologies used, methodically discusses core risk
assessment processes, common existing network architecture
and its main vulnerabilities, proposed network architecture
and its risk assessment integration(Proof), highlights the
strengths of the proposed architecture in the face of present
day business threats and opportunities and finally emphasizes
importance of consistent communication and consultation of
stakeholders and Original Equipment Manufacturers (OEMs)
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
Threat management continues to be a hot topic within cybersecurity, and rightfully so.
Understanding the evolving technical and behavioral threat landscape and adapting
mitigation controls is the key to proactive risk management. Actionable threat intelligence is critical to enabling effective threat management. It provides visibility into the temperature within the threat actor community, what they are doing and how they are doing it (tactics techniques and procedures (TTPs)). The challenge is sorting through the volumes of threat data to identify what’s relevant and actionable.
This document is intended to communicate how threat intelligence can be used to reduce business risk. The audience is security, compliance and IT professionals interested in
proactive risk management.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
An overview of the scale of the challenge and rational ways to cut that down to manageable and governable size. Slides compliment recent supplier security governance related posts on Infospectives.co.uk and LinkedIn.
This research work x-rays the indispensability of continuous
risk assessment on data and communication devices, to ensure
that full business uptime is assured and to minimize, if not
completely eradicate downtime caused by “unwanted elements
of the society” ranging from hackers, invaders, network
attackers to cyber terrorists. Considering high-cost of
downtime and its huge business negative impact, it becomes
extremely necessary and critical to proactively monitor,
protect and defend your business and organization by ensuring
prompt and regular Risk assessment of the data and
communication devices which forms the digital walls of the
organization. The work also briefly highlights the
methodologies used, methodically discusses core risk
assessment processes, common existing network architecture
and its main vulnerabilities, proposed network architecture
and its risk assessment integration(Proof), highlights the
strengths of the proposed architecture in the face of present
day business threats and opportunities and finally emphasizes
importance of consistent communication and consultation of
stakeholders and Original Equipment Manufacturers (OEMs)
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
Threat management continues to be a hot topic within cybersecurity, and rightfully so.
Understanding the evolving technical and behavioral threat landscape and adapting
mitigation controls is the key to proactive risk management. Actionable threat intelligence is critical to enabling effective threat management. It provides visibility into the temperature within the threat actor community, what they are doing and how they are doing it (tactics techniques and procedures (TTPs)). The challenge is sorting through the volumes of threat data to identify what’s relevant and actionable.
This document is intended to communicate how threat intelligence can be used to reduce business risk. The audience is security, compliance and IT professionals interested in
proactive risk management.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
With the increasing use of computers in business information security has also become a key issue in organizations. Risk assessment in organizations is vital in order to identify threats and take appropriate measures. There are various risk assessment methodologies exist which organizations use for risk assessment depending the type and need of organizations. In this research OCTAVE methodology has been used following a comparative study of various methodologies due to its flexibility and simplicity. The methodology was implemented in a financial institution and results of its efficacy have been discussed.
4
Brian Dennison
John Denson
IT454 -1504B-01
Mon, 12/14/15
SECTION 4: ASSESSING RISK
Risk assessment and management is one of the highest priorities for any organization to safeguard its properties and assets. In a turbulent state, all information and security vulnerabilities should be in a conversant to many regulations. Selected and tested methodologies have been defined and framed to mitigate the risk-assessment to many organizations. The frameworks have been set to help and guide security and risk. One of the methodologies is: Factor Analysis of Information Risk, abbreviated as (FAIR).
FAIR is a methodology for understanding, analyzing and measuring information risk. Information policy and security practices have been inadequate available to aid in effectively managing information risk. For the little available information clues, managers and system owners have found it hard to make effective and well-informed decisions to safeguard their systems against such risks and uncertainties as they may happen.
FAIR is elevated to address security practice weaknesses. The major aim of this methodology is to allow organizations contribute effort and mitigate the various risk as they may happen. In one accord risk is assessed and measures be taken to counter the menace. The method ensures the organizational risk is defended and or challenge risk determined by use of advanced analysis techniques and also understand how time and resources such as money will impact the organization's security profile in general.
The Methodology works with the following components; these are; standardized nomenclature system for using the risk terms, a well-set framework for data collection, a taxonomy for information risk, Computational engine for evaluating risk model, measurement scales for all risk factors and a model for analyzing the complexity of all risk scenarios. The methodology has one best advantage; it doesn't use the normal, ordinary scale like one-to-10 rating and hence it is not subjected to the limitations the ordinary scale. The methodology uses the high or low scales to categorize its risk menace. Colors also form part of the rating red, yellow and green. FAIR methodology uses dollar estimates to indicate clearly losses and probability parameters for threats and vulnerabilities. Therefore, when merged with a range of values, confidence levels, it gives the best bargaining ground for mathematical modeling and hence loss exposures.
A risk whether quantitative or qualitative should be dealt with an organization. There are four methods to curb such: these are: accept(able), avoid, mitigate and transfer.
Accept: This is the willingness for an organization to assume the risk. This is a managerial and a business decision to accept the risk. This does not allow an organization assume the risk after its first identification. This comes after determining the level. Then assumptions later. Therefore, the best cause of action should be in plans t.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
Chapter 1
The International Information Systems Security Certification Consortium (ISC)2 Common Body of Knowledge (CBK) defines the key areas of knowledge for Information Security Gov- ernance and Risk Management in this way:
The Information Security Governance and Risk Management domain entails the identification of an organization’s information assets and the development, documentation, implementation and updating of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.
The candidate is expected to understand the planning, organization, roles and responsibilities of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security training to make employ- ees aware of the importance of information security, its significance, and the specific security- related requirements relative to their position; the importance of confidentiality, proprietary and private information; third-party management and service level agreements related to infor- mation security; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.
Key areas of knowledge:
Understand and align security function to goals, mission, and objectives of the organization
Understand and apply security governance
Understand and apply concepts of confidentiality, integrity, and availability
Develop and implement security policy
Manage the information life cycle (e.g., classification, categorization, and ownership)
Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
Understand and apply risk management concepts Manage personnel security Develop and manage security education, training, and awareness Manage the security function
Even though this domain is positioned as number 3 in the Certified Information Systems Secu- rity Professional (CISSP) common body of knowledge, it is placed first in this book because all security activities should take place as a result of security and risk management processes.
Organizational Purpose
In order to protect an organization’s assets, it is first necessary to understand several basic characteristics of the organization, including its goals, mission, and objectives. All of these are statements that define what the organization desires to achieve and how it will proceed to achieve them. These three terms are described in more detail as follows:
(Gregory 2)
Gregory, Peter. CISSP Guide to Security Essentials, 2nd Edi ...
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaLinaCovington707
DEPARTMENT: CYBERSECURITY
What’s Your IT Risk
Approach?
Risk is the likelihood that a loss will occur. Losses occur
when a threat exposes vulnerability. To identify risks, you
need to identify the threats and vulnerabilities and then
estimate the likelihood of a threat-exploiting vulnerability.
Risk management starts with an understanding of the
threats and vulnerabilities, after which the appropriate
mitigation action is identified. It is a series of coordinated
activities to direct and control challenges or threats to
achieving an organization’s goals. Enterprise Risk
Management (ERM) is an organization-wide approach to
addressing the full spectrum of the organization’s
significant risks by understanding the combined impact of risks as an interrelated portfolio,
rather than addressing risks only within silos.
Cybersecurity risk is the risk to an organizational operation’s mission, function, image,
reputation, organizational assets, individuals, and the nation due to the potential for unauthorized
access, use, disclosure, disruption, modification, or destruction of information and/or
information systems. Information system–related security risks are those that arise through the
loss of confidentiality, integrity, or availability of information systems. Cyber risk, like any other
type of risk, cannot be eliminated—it must be managed. Effective cybersecurity demands the
shared responsibility of all. The management of organizational risk is a key element of an
enterprise-wide information security program that provides an effective framework for
minimizing risks from security threat.
The objective of a cybersecurity risk-management program is to provide an integrated view of IT
risk across the entire organization and to ensure that risk issues are integrated into the strategic
decision-making process to further the achievement of performance goals. Within the US
Department of Education’s Federal Student Aid (FSA) cybersecurity risk-management program,
the objective is to strengthen information technology systems’ security through effective risk
management, understand the threats and vulnerabilities, and then mitigate the risks or reduce the
potential impacts. Effectively managing cybersecurity risk is a continuous activity and requires
communication across all levels of an organization.
OMB Circular A-123’s Management’s Responsibility for Enterprise Risk Management and
Internal Control1 requires all federal agencies to implement an ERM capability. ERM is the
discipline that identifies, assesses, and manages risks to all concentration of efforts toward key
points of failure and reduces or eliminates potential disruptive events. ERM is part of the overall
governance process and is an integral part of cybersecurity risk management, ensuring that
actions taken support the enterprise mission and goals. It provides a holistic approach to
managing risk opportunistically to achieve maximum results for the ...
PECB Webinar: Risk-management in IT intensive SMEsPECB
The webinar covers:
• Risk management process in IT intensive SMEs
• Challenges for usage of generic risk management methodologies
• Overview of simplified risk management methodology for IT intensive SMEs
Presenter:
This webinar was presented by Jasmina Trajkovski, Managing Director of Trajkovski & Partners Consulting who has more than 15 years of experience in IT consulting.
Link of the recorded session published on YouTube: https://youtu.be/1X4qTy1FzbY
Best Open Threat Management Platform in USACompanySeceon
Threat management is a process that is used by cybersecurity analysts, incident responders and threat hunters to prevent cyberattacks, detect cyberthreats and respond to security incidents. Call us: +1 (978)-923-0040
In an increasingly digital world, where businesses rely heavily on interconnected systems and data flows, the importance of robust cybersecurity measures cannot be overstated. One crucial aspect of safeguarding your digital assets is vulnerability management. In this blog post, we'll explore what vulnerability management is, why it matters, and how to establish an effective vulnerability management program for your organization.
1. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 2, Issue 4, June-July 2012, pp.712-716
Risk Management Using Spiral Model for Information Technology
Rajendra Ganpatrao Sabale, Dr. A.R Dani
Student of Ph.D., Singhania University, Pacheri Bari, Dist. Jhunjhunu( Rajasthan), India
International Institute of Informational Techonology,Pune(Maharashtra),India
Abstract:
Now a day almost everything has been digitized and networked either through Local Area Network
or Internet. In this digital era, as organizations use automated information technology (IT) systems to process
information for improved support to achieve their objectives, risk management plays a critical role in
protecting an organization‘s information assets, and therefore its aim, from IT-related risk.
This paper provides information about IT risk management and good practices to follow to minimize risk. It
provides a foundation for the development of an effective risk management policy.
Keywords : automated information, digitized, risk management
Introduction:
1. An effective risk management process is an important component of a successful IT security program. .The risk
management process should not be treated primarily as a technical
function carried out by the IT experts who operate and manage the IT system, but as an essential management
function of the organization. The principal goal of an organization‘s risk management process should be to protect
the organization and its ability to perform their objectives. Risk is the net negative impact of the exercise of
vulnerability, considering both the
probability and the impact of occurrence.
2. Purpose
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an
acceptable level. This paper provides groundwork for the development of a successful risk management program,
3. Objective
The objective of performing risk management is to enable the organization to accomplish its task
By better securing the IT systems that store, process, or transmit organizational information;
By enabling management to exercise well-informed risk management decisions to
justify the expenditures that are By assisting management in authorizing (or accrediting) the IT systems on the basis
of the supporting documentation resulting from the performance of risk management.
4. Target Addressees
This paper provides a common foundation for experienced and inexperienced, technical, and non-technical
personnel who support or use the risk management process for their IT
systems. These personnel include: part of an IT budget;
The Designated Approving Authority whether to allow operation of an IT system
The IT security program manager, who implements the security program
Information system security officers (ISSO), who are responsible for IT security
Business or functional managers, who are responsible for the IT procurement process
Technical support personnel (e.g., network, system, application, and database administrators; computer
specialists; data security analysts), who manage and administer security for the IT systems
IT system and application programmers who develop and maintain code that could
affect system and data integrity
Information system auditors, who audit IT systems (DAA), who is respond
IT consultants, who support clients in risk management.
712 | P a g e
2. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 2, Issue 4, June-July 2012, pp.712-716
5. IMPORTANCE OF RISK MANAGEMENT
Risk management encompasses three processes: risk assessment, risk evaluation and. risk mitigation Risk
management is the process that allows IT managers to balance the operational and economic costs of protective
measures. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of daily
routine work. Minimizing negative impact on an organization and need for sound basis in decision making are the
fundamental reasons organizations implement a risk management process for their IT systems. sible for the final
Effective risk management must be totally integrated into the System Development Life Cycle. Risk management
can be performed in support of each system development life cycle phase.
Phase 1—Initiation
• Identified risks are used to support the development of the system requirements, including
security requirements, and a security concept.
Phase 2—Development or Acquisition • The risks identified during this phase can be used to support the security
analyses of the IT system that may lead to architecture and design tradeoffs during system development of
operations (strategy) decision
Phase 3— The risk management process supports the assessment of the system implementation against its
requirements and within its modeled operational environment. Decisions regarding risks identified must be made
prior to system operation
Phase 4—Operation or Maintenance
• Risk management activities are performed for periodic system reauthorization (or reaccreditations) or whenever
major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
Phase 5—Disposal
• Risk management activities are performed for system components that will be disposed of or replaced to ensure
that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system
migration is conducted in a secure and systematic manner
6. Risk Management Process
Risk management process involves:
Identify Organizational Risks: By surveys, interviews, and solicitation of input
across divisions and departments of Probability - The likelihood of risk getting realized
o Inherent Risk - The nature of the risk event
o Mitigation Control Effectiveness - The effectiveness of mitigation plans
6.1 How to identify Risks?
Risk Management application provides tools to quickly put together surveys and polls for gathering inputs from
professionals and employees. This data is then collated into a list of identified risks for the organization. The list can
be reviewed periodically and updated based on existing business scenarios.
A frequently used technique in security analysis, and in particular in risk identification, is so-called structured
brainstorming (HazOp-analysis [18] is a kind of structured brainstorming). It may be understood as a structured
―walk-through‖ of the target of analysis.
The main idea of structured brainstorming is that a group of people with different competencies and
backgrounds will view the target from different perspectives and therefore identify more, and possibly other, risks
than individuals or a more heterogeneous group. The input to a brainstorming session is various kinds of target
models (e.g. UML models). The models are assessed in a stepwise and structured manner under the guidance of the
security analysis leader. The identified risks are documented by an analysis secretary.
Construction of a conceptual model based on standardized security risk analysis terminology is first step of
developing language model. the most intuitive and common interpretations are used. The conceptual model can be
seen as a kind of abstract syntax for the language, and is shown in diagram.
The conceptual model using UML class diagram notation
713 | P a g e
3. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 2, Issue 4, June-July 2012, pp.712-716
IT system throughout its SDLC. The conceptual model may be explained as follows: stakeholders are those people
and organizations who may affect, be affected by, or perceive themselves to be affected by, a decision or activity
regarding the target of analysis An asset is something to which a stakeholder directly assigns value, and hence for
which the stakeholder requires protection Assets are subject to vulnerabilities, which are weaknesses which can be
exploited by one or more threats A threat is a potential cause of an unwanted incident
6.2 Risk Assessment
Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to
determine the extent of the potential threat and the risk associated with an Risk is a function of the likelihood of a
given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the
organization. Consequence is the level of impact that the potential risk event can have on the achievement of
business objectives. Consequence will be measured on a 5 level rating Probability is the likelihood of occurrence of
the potential risk event which may lead to the assessed consequences. Probability will be measured on a 5 level
rating scale in the risk survey (25-Almost Certain, 20-likely, 15-Possible, 10-Unlikely, 5-Rare)
6.2.1 Calculating Inherent Risk
Inherent risk signifies the exposure arising from a specific risk event before any action has been taken to manage it.
Inherent Risk = Consequence X Probability Inherent risk rating will be exhibited on a 4 level rating scale (Extreme
Risk, High Risk, Moderate Risk, Low Risk)
714 | P a g e
4. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 2, Issue 4, June-July 2012, pp.712-716
6.3 Risk Assessment Report
There are different kinds of risk assessment reports. As risk assessment follows risk identification, a lot of these
documents will be based on the risk identification reports. Documentation is done in a systematic way and can be
from different inputs. Some of stakeholder Analysis - Risk Report: This identifies probable risks posed by take
holders and the impact the risk might have on other stakeholders or the project at large. WBS - Risk Report: The
work breakdown structure, broken down to work packages can be assessed for risks. It may detail risks at different
stages based on cost, schedule, resource and manpower factors. Scope - Risk Report: The scope statement or
mission statement may be assessed for risks at the beginning of a project. For example, it could be the impact of a
particular project on the community. Cost Evaluation Risk Report: Cost or funds are at constant risk in a project. It
has to be maintained and controlled with as little deviation as possible from the forecasted values. Risks related to
cost are in the cost evaluation risk reports. Schedule Evaluation Risk Report: Time is luxury that a project cannot
afford. It is imperative that time schedules are met with as little delay as possible. Time delays can impact the
progress of a project and put it at risk. Such risks are documented in the schedule evaluation risk report. Technical
Evaluation Risk Report: Risks related to resources, manpower and departments fall under this category. Risks
arising due to quality constraints and those which are due to design errors and poor planning also fall under this
group.
6.3. Risk Mitigation
A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence is called risk
mitigation. It is also called risk reduction. A solution to mitigate the risk is developed and modeled to determine the
level of reduced risk versus the cost to implement. If the solution provides an acceptable level of reduction in risk
715 | P a g e
5. Rajendra Ganpatrao Sabale, Dr. A.R Dani / International Journal of Engineering Research and
Applications (IJERA) ISSN: 2248-9622 www.ijera.com
Vol. 2, Issue 4, June-July 2012, pp.712-716
for the associated cost, then it is considered successful and the process is complete.
The RMP can be thought of as a spiral model that allows a user to complete the process and then review
the results. If the risk mitigation process was successful, then the process stops at the end of the post-mitigation task.
If the risk or cost is not acceptable, then the entire process is repeated to determine if it can be improved. Best
practices require that the known and perceived risk be analyzed according to the degree and likelihood of the
adverse results that are anticipated to take place. Thereafter, all such risks analyzed shall be documented according
to their levels of priority in a form known as the risk mitigation plan. After which, the development and integration
of the corresponding risk mitigation strategies follows, and shall be referenced against the previously prepared risk
management plan. A risk mitigation plan shall serve as the checklist of the anticipated risks, accordance with degree
of their probability, as High, Medium or Low. Some project managers, however, deem it more appropriate to
categorize the risks as most Likely, Likely or Unlikely. There are different kinds of risk assessment reports. As risk
assessment follows risk identification, a lot of these documents will be based on the risk identification reports.
Documentation is done in a systematic way and can be from different inputs. Some of them are discussed below.
7. Good Security Practice
The risk assessment process is usually repeated at least every 3 years. However, risk management should
be conducted and integrated in the SDLC for IT systems, not because it is required by law or regulation, but because
it is a good practice and supports the organization‘s business objectives. There should be a specific schedule for
assessing and mitigating mission risks, but the Periodically performed process should also be flexible enough to
allow changes where warranted, such as major changes to the IT system and processing environment due to changes
resulting from policies and new technologies.
8. Keys for Success
A successful risk management program will rely on
(1) Senior management‘s commitment. (2) The full support and participation of the IT team
(3) The competence of the risk assessment team, which must have the expertise to apply the risk assessment
methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the
needs of the organization.
(4) The awareness and cooperation of members of the user community, who must follow procedures and comply
with the implemented controls to safeguard the mission of their organization.
(5) An ongoing evaluation and assessment of the IT-related mission risks.
Reference :
(1) Risk Management guide by National Institute of Standard Technology.
(2) IT security and risk management by Verizon Business.
(3) A graphical approach to risk identification, motivated by Empirical.
716 | P a g e