Information Security Risk Analysis, Second Edition

Book Preface

Risk management is the process that allows business managers to balance operational and economic costs of protective measures and achieve gains in mission capability by protecting business processes that support the business objectives or mission of the enterprise. For most of this book, we will concentrate on the impacts of risk in the information security (IS) and information technology areas of an organization. Risk management, however, is not restricted to the information technology and security realm. This is a business process that assists management in meeting its fiduciary duty to protect the assets of the organization.

Risk management is the total process used to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce the risk of performing some activity or function to an acceptable level and obtain senior management approval.

Risk management is made up of four distinct processes: risk analysis, risk assessment, risk mitigation, and vulnerability assessment and controls evaluation (Table 2.1).

Senior management must ensure that the enterprise has the capabilities needed to accomplish its mission or business objectives. As we will see, senior management of a department, business unit, group, or other such entity is considered to be the functional owner of the enterprise’s assets, and it is senior management’s fiduciary duty to act in the best interest of the enterprise to implement reasonable and prudent safeguards and controls. Risk management is the tool that will assist in the task.