Risk management for information systems (Part 1)

Tram Ho

In life, things are always changing unpredictably and risks can come from anywhere. The same goes for the Infomation System. Everything we use can lead to risks. And to minimize the effects of these risks, it is necessary to have a strategy to manage them appropriately. In a building, for example, security is required to guard against intruders, surveillance cameras or fire extinguishers and emergency exits, in information systems, to manage risks, Risks also need clear, specific and effective strategies. So, what is risk management? How to manage those risks? In this article, I will generalize a bit about these issues.

I. Risk management

Risk management is the process carried out by an organization to manage the risks, risks to the organization’s information systems and its information assets (defined as the assets that come from its use. Information Technology).

We can often hear about company A stolen a few trillion by hacker attack, Group B leaked information of several tens of millions of customers and imagined that the risks are such big things. However, the risk that an organization encounters actually appears anywhere, any part of the information system, from being as small as accidentally revealing the company’s account password when entering the xyz website, spilling Company computer is dead, or Mr. X’s cat steps on the keyboard and accidentally deletes the database. All of these are the risks to the information system that any organization using information technology can face.

So how to manage risks effectively? According to the military guard said: “knowing the enemy knows us, hundreds of victories are won”. To be able to devise a strategy for managing anything, it is necessary to understand the situation of yourself and your opponent. Risk management is no exception.

1. Understand yourself

Everyone has a bad side and a good one, everyone has something good or bad. We are inherently imperfect and of course, organizations are man-made, and there are always certain flaws. Any organization has its own risks, no one is completely alike. They can come from hiring someone to work for you, producing products, marketing or even where the organization is based.

For information security management, managers need to understand how information is collected, processed, stored and transmitted. Knowing yourself in this case is simply knowing what you have, how valuable they are to the organization, how they are classified and how they are currently protected. For example, regarding the user’s information, such as username, email, password, profile picture, card number, CVV number, … can be classified into the two most basic types: public and private. private. Information such as usernames, emails, avatars can be viewed as public information and the application of the privacy policies to them may not be too high. In contrast, information such as passwords, card numbers, CVV numbers should be classified as confidential, and strict policies should be applied to avoid disclosure of this information.

2. Understand your competition

As the military magistrate said: “those who do not know the enemy know us, a hundred battles are defeated, those who know themselves but do not know you very well will only win the defeat, only those who know the enemy know you can conquer the victory”. In order to be able to secure information systems, managers also need to be aware of the possible risks to their organizations. To do this, the following questions should normally be met:

  • What risks are likely to occur to an organization’s information assets?
  • What consequences could that risk have for the organization?
  • What level of risk is acceptable to the organization?
  • What needs to be done to reduce the current level of risk to an acceptable level?

Out of the four questions above, the first three are often referred to as the risk analysis process. Corresponding to each question is a small process in managing risk:

a. Risk identification

  • Synthesize all information assets
  • Categorize and organize them properly
  • Evaluate the value of each information asset
  • Identify threats to each group
  • Identify vulnerability to assets by associating assets with appropriate threats

b. Risk assessment

  • Determine the likelihood that the system can be hacked for each threat
  • Relatively assess the risks that can occur to the system’s information assets, from which it is possible to know which assets need to focus on control and protection.
  • Calculate the risk at which the asset is lost against current setups
  • Take a look at the sections that can be hacked to identify vulnerabilities and how to control the risks to the assets
  • Document and report on risk identification and assessment

c. Risk appetite

  • Determine the level of risk that is acceptable for each risk
  • Place the level of risk tolerance in the specific situation of the organization

d. Risk control

  • Determine the most effective ways of control
  • Purchase or install and apply the appropriate controls
  • Observe the overall performance to ensure that the methods are being used effectively.
Share the news now

Source : Viblo