When considering IT security, an organization must judge the level of that security based on the level of risk to the organization. An example would be two organizations with a presence on the Internet. One is a small religious congregation with a simple website used to communicate its mission with parishioners. The other is an eCommerce site transacting multi-millions of dollars in business annually. While hacking is possible with both websites, the level of intrusion by an outside party is likely more significant with the eCommerce website than it is with the religious site.
Risk management is an integral part of an information security program. It provides the foundation for building an adequate response at a level sufficient enough to support the organizational objectives while not hindering them (Peltier, 2013). Doing a risk-assessment allows the organization to build a cost-effective IT security system that protects the vital information of the organization. Conducting risk-assessment early in the development of the information system avoids the cost of having to retrofit down the road due to an unknown risk. It allows for the alignment of information security with business objectives. Risk assessment is the business process of identifying threats and the impact of those threats (Layton, 2016).
Senior management must be involved and be in total support of the development of an IT security system and be primarily involved with the risk assessment. As the mission owners, they will be in the best position to identify potential risks as well as determining the risk level. It is important to note that risk assessment is a business function, not an IT function. It can only devise the technical solution to what the business identifies what needs protecting. From the risk assessment, we can develop the policies needed to govern the security of the information system.
The risk assessment will identify vulnerabilities, while risk management will identify which techniques to use to protect against them.
- First, enlist those on the frontlines of your organization, the employees. They use the system day-in and day-out and will be full of useful insights on what needs protecting.
- Protect assets according to their value. Understand what the most valuable information assets are that the organizations possess and set your security levels by that assessment. Protecting everything is costly and inefficient and usually not needed.
- Automate processes and functions. Use artificial intelligence and machine learning; behavioral analytics are becoming critical tools in mitigating security risks.
- Create a security roadmap with management support and is appropriately budgeted. A security system plan goes nowhere if management doesn’t support it and the best way to show that support is through adequate budgeting.
- Make your IT security department an equal branch of the entire company. IT security operates effectively in the company’s where the department is represented at the board table (AT Kearney, n.d.).
AT Kearney. (n.d.). The Golden Rules of Operational Excellence in Information Security Management. Retrieved April 7, 2019, from https://www.atkearney.co.jp/documents/10192/7073823/The+Golden+Rules+of+Operational+Excellence+in+Information+Security+Management.pdf/118c56c7-b3d8-4e88-871f-3d7a00cebc8c
Layton, T. P. (2016). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: CRC Press.
Peltier, T. R. (2013). Information Security Fundamentals, Second Edition. Boca Raton, FL: CRC Press.