Monday, October 13, 2014

Identify Information Security Risks

In information security management, it is important to not only identify the risks to company assets but it is also important to identify assets that are at risk in the first place.

Is it better to identify what assets need to be protected first?  Or is it better to identify what threats there are and then identify what assets are at risk due to those threats?  A lot depends on the size of the company and how labor intensive it will be to do either of these things.  Ideally, both angles should be considered when protecting company assets.

Another key point to protecting company assets is to assess the priority of protecting the asset.  Once assets that are at risk are identified, then a priority should be placed on each asset to determine what is the most at risk and will cause the most damage if compromised.

Risks do not just include breaches.  Risks can also include natural disasters, accidents, mistakes, etc.  The assets need to be protected from all risks.

Also to be considered is the cost of having an asset damaged, destroyed, or breached.  If the cost is high due to loss of this asset, the priority of protecting this asset will be higher.

Another point to managing risks are the inherit risks that employees bring into the company due to their ability to access company information anywhere and from their own devices.  How should a company address this risk?  Should a company prevent employees from accessing company information outside of the network?  What would that do to the work/home balance that employees need to stay happy working for a company?

Another consideration to risks is how quickly a company can assess the risk level to a company.  The percentage of companies that know what their risk level is at any point in time is very low.  This means that a lot of companies do not even know that they are at risk. 

A way to make it more likely that a company is able to assess risk levels quickly is by automating the process.  There is a lot of technical solutions that will monitor the network, personal devices, email usage, etc. that can determine if an employee is inadvertently or purposely introducing risk to the company.

All these things need to be considered when assessing risk to company assets.

Reference:

·          Hurley, J. TechWorld (Jan 2011).  Identify enterprise security risks.  What color is your information risk today?  Retrieved from http://features.techworld.com/security/3258042/identifying-enterprise-security-risks/

·         Borysowich, C. (Jul 2009).  Identifying Security Threats.  Retrieved from http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)