We
all talk about the word “RISK” every day during many discussions both
personally and professionally, with family and friends, with doctors and
lawyers, with builders and stock brokers and with all others.
Have we understood the word “RISK”?
Reply: I…. Think….
Yesss.
RISK is integral part of EVERY ACTION that we do in our LIFE.
Action could be anything, it could be walking on street, driving to office,
having dinner at five star restaurant, Buying any objects, switch to new job
etc. Every thing we do during a day is ACTION.
There
is “RISK” OF ACCIDENT while walking on street or driving a car. There is a “RISK” OF THEFT/LOSS while buying any
object. There is “RISK” OF DISEASE/FOOD POISONING while having dinner
at restaurants.
From
an INFORMATION SECURITY context, there is “RISK” OF LOSS OF CUSTOMER in case security
requirements are violated by the organization. In fact, in today’s edge, this
is not only about LOSS OF CUSTOMER but this may also come with
other bigger aspects like “RISK” OF LOSS OF REPUTATION due to non compliance of
contract or legal or regulatory requirements. This could event became worst in
case of huge legal liability under legal & regulatory requirement and could
result into huge financial penalty and may lead to “OUT
of BUSINESS”.
So tell me what is RISK?
RISK” is a function of
IMPACT and LIKELIHOOD OF
OCCURRENCE
Every ACTION has
POSITIVE
or NEGATIVE
IMPACT. Since we are talking about “RISK”, let’s think of negative outcome of an ACTION. Think
of what worst could happen to BUSINESS. Think what could be the magnitude of IMPACT in
terms of MONITORY LOSS or REPUTATION LOSS.
Unless
we consider the likelihood factor, Magnitude of IMPACT
shall always remains on HIGHER
side hence this might not reflect
accurate RISK POSTURE. Further without factoring likelihood of occurrence,
“COST-EFFECTIVE” risk treatment plan is difficult to arrive.
But I have already implemented controls
to reduce both IMPACT
and LIKELIHOOD OF OCCURRENCE.
Reply: Great. These controls are
implemented against VULNERABILITIES.
VULNERABILITY is a weakness associated with Information System.
These could be “Improper Firewall Configuration”, “Unsecured Ports are OPEN”,
“No Periodic Review of Access Rules” etc.
IN MOST OF THE CASE, primary
reason of successful attack is existence of such VULNERABILITIES or WEAKNESSES.
Now, how would you
prevent such attack?
Response: work on
weaknesses.
In an ideal Information Security Risk
Management, RISK is measured after considering existing VULNERABILITIES and existing
IMPLEMENTED CONTROLS.
There are many Information Security Risk
Management methodologies available. An organization can choose best suitable
for them based on their requirements, level of complexity, capability to
perform risk management and organization structure.
Really informative...
ReplyDeleteSu vaat che :)
ReplyDeleteits use full and interesting knowledge for basic level... :)
ReplyDeleteThank you Chavan,
DeleteVisit my other blogs on "Making effective IS Policy", "Effectiveness Measurement" and "Information Security in Project Management"
Amazing content....
ReplyDeleteThanks Parth...
Delete