RISK MANAGEMENT IN INFORMATION SYSTEMS SECURITY

In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission from IT-related risk. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets.

Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.

Information security risk management is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. The end goal of this process is to treat risks in accordance with an organization’s overall risk tolerance.

Stages of Risk Management

1.Risk Identification

The first step in risk management is to identify potential threats and vulnerabilities that could impact the security of information systems. This involves conducting a thorough assessment of the organization's IT infrastructure, including hardware, software, networks, and data assets. It’s as follows:

Identify assets: What data, systems, or other assets that would be considered by the organization. For example, which assets would have the most significant impact on the organization if their confidentiality, integrity or availability were compromised.

Identify vulnerabilities: Identify what system-level or software vulnerabilities are putting the confidentiality, integrity, and availability of the assets at risk. The weaknesses or deficiencies in organizational processes which could result in information being compromised.

Identify threats: What are some of the potential causes of information becoming compromised? For example, is your organization’s data centre located in a region where environmental threats, like tornadoes and floods, are more prevalent.

Identify controls: A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you’ve identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination.

A compensating control is a “safety net” control that indirectly addresses a risk.

2. Risk Assessment

Once risks have been identified, they need to be assessed in terms of their potential impact and likelihood of occurrence. This helps organizations prioritize risks and allocate resources effectively to address the most critical security threats. This is the process of combining the information you’ve gathered about assets, vulnerabilities, and controls to define a risk.

3.Risk Management Strategy

Once a risk has been assessed and analyzed, an organization will need to select treatment options. Several treatment options include the following:

Remediation: Implementing a control that fully or nearly fully fixes the underlying risk. Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.

Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely. Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server. Also, encryptions and training employees.

Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized. Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited.

(Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)

Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized. Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.

Risk avoidance: Removing all exposure to an identified risk Example: You have identified servers with operating systems (OS) that are about to reach end of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

4.Risk Communication Strategy

Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to understand the costs of treating or not treating a risk and the rationale behind that decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the organization to ensure the rightpeople are engaged at the right times in the process.

5. Risk Monitoring

Risk management is an ongoing process that requires continuous monitoring and evaluation of security controls to ensure they are effective in mitigating risks. Organizations should regularly review and update their risk management strategies in response to changes in the threat landscape and the business environment.

6. Security Awareness:

One of the most important components of risk management in information systems security is ensuring that employees are aware of security risks and best practices. Training programs and awareness campaigns can help employees recognize and respond to potential security threats, reducing the likelihood of security incidents.

7. Cybersecurity risk management

It is an ongoing task, and its success will come down to how well risks are assessed, plans are communicated, and roles are upheld. Identifying the critical people, processes, and technology to help address the steps above will create a solid foundation for a risk management strategy and program in your organization, which can be developed further over time.

CONCLUSION

Risk management in information systems security is a complex and multifaceted process that requires a comprehensive approach to identifying, assessing, and mitigating security risks. By implementing effective risk management strategies, organizations can protect their information assets and maintain the confidentiality, integrity, and availability of their systems and data. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization.