<Previous Lesson

Information Systems

Next Lesson>

Lesson#36

Risk Management

Risk Management

Risk Management is the process of measuring, or assessing risk and then developing strategies
to manage the risk. In general, the strategies employed include transferring the risk to another
party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the
consequences of a particular risk. Risk management is a general concept which can encompass
various aspects or issues to be catered for. For example risk management against natural
disasters, financial risk management, knowledge risk management, relationship risk
management. No matter what aspect of risk is being covered the general approach is quite the
same. Here since we are more focused on study of information systems, we would try to relate
more to the risks related to proper working of information systems.
Managing the security risks associated with reliance on information technology is a continuing
challenge. Many private organizations, have struggled to find efficient ways to ensure that they
fully understand the information security risks affecting their operations and implement
appropriate controls to mitigate these risks. In recent years, systems have become more
susceptible to virus because computers have become more interconnected and, thus, more
interdependent and accessible to a larger number of individuals.

Incorporating Risk management in SDLC
For each phase of SDLC, the process of risk management is no different. Rather it is iterative
process which can be performed at each major phase. Every step of development has its own
risks which need to be handled and addressed separately. Hence managing risk in SDLC means
managing risk of each phase of life cycle.

36.1 Phases of Risk Management
Following are various phases of SDLC
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Identification
Control Recommendation
Results Documentation
Implementation
Monitoring
This can also be presented as a separate diagram.
153

36.2 What is focal Point?
A corporate-level facilitator may serve as a focal point for assessments throughout the company,
including those pertaining to information security because of familiarity with the tools and the
reporting requirements. Each business unit in an organization may have a designated individual
responsible for the business unit's risk assessment activities. The computer hardware and
software company, may also create a team for the purpose of improving the overall risk
assessment process and reviewing results of risk assessments in the hardware and software
systems from the perspective of offering a better, reliable and risk free product.

36.3 System Characterization
In assessing risks for an IT system, the first step is to define the scope of the effort. The
resources and information that constitute the system are identified. The system related
information is documented which includes.
1. Hardware
2. Software
3. System Interface
4. Data & Information
5. People (Who support and use IT)
6. Systems Mission (Processes performed by IT system)

Additional information that may help in characterizing the system are:
1. Functional requirements of IT system
2. Users of system (technical support and application users)
3. System Security Policy
4. System Security Architecture

As an output to this phase we would get:
1. System Boundary
2. System function
3. System and Data criticality – System’s value to the organization
4. System and data sensitivity – Level of protection required to maintain system, data
integrity, confidentiality and availability.
Following methods can be used to gather information on the IT system within its operational
boundary.
1. Filling up Questionnaire
2. On-site interviews
3. Document Review
4. Use of automated scanning tools

36.4 Steps in threat identification
Following steps are followed in this phase
1. Threat source identification – sources vary from being human to natural threats
2. Motivation and threat actions – Reasons why someone should instigate a threat and what
actions he can take in such instigation are discovered.

Examples
Information is used as an input to determine and identify what kind of threats the system is
exposed to history of system attack, data from intelligence agencies. The out put of this phase is a
threat statement identifying and defining threats.

36.5 Vulnerability Assessment
Vulnerability is a weakness that can be accidentally triggered or intentionally exploited. This phase
helps in building up a list of weaknesses and flaws that could be exploited by the potential threat
sources.

Example
•System
tampering
•Assault on an
employee
Blackmail
Destruction
Exploitation
Terrorist
•Hacking
•System intrusion
•Computer Crime
Challenge
Ego
Rebellion
Hacker,
cracker(already
discussed)
Threat Source Motivation Threat Actions
155
Following information is used as an input
1. Reports of prior risk assessments
2. Any audit comments
3. Security requirements
4. Security test results
The out put of this phase is a list of potential vulnerabilities.

<Previous Lesson

Information Systems

Next Lesson>

Home

Lesson Plan

Topics

Go to Top

Next Lesson
Previous Lesson
Lesson Plan
Topics
Home
Go to Top