The ISRM refers to the Information security risk management, which is a process to manage associated risks with using the information technology. It includes five phases to process the risk management such as identification of risk, assessing the risk, treating the risk to the CIA components, risk communication and rinse and repeat. The primary goal of this process is to treat risk as per the overall risk tolerance. The organization should not expect to mitigate overall risks instead, they should seek to find out and accomplish an acceptable risk level for the organization.
The identification of associated risk can be carried out by performing some tasks such as identify assets, identify vulnerabilities, identify threats, and identify controls. All the process includes the identifying associated risk in aspects of vulnerabilities, threats and controls.
This is a process of merging the gathered information about controls, assets and vulnerabilities to determine the risk. There are many approaches and frameworks but more often the following equation is efficiently used:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value) - security controls
Information security risks can be managed and mitigated by using risk management framework so that overall risks regarding information security can be managed and mitigated in an effective manner. Following risk management framework is outlined below:
Risk identification process is effective in order to identify all the asset vulnerability in the system. Identification of internal and external threats of an information system is also outlined so that overall risks can be managed and mitigated from information system.
Risk assessment is also effective in order to assess all the vulnerability of an information system.
Risk control is very effective in order to control all the mitigation practices in an information system.
(Risk identification* Risk assessment *Risk control).
Risk assessment is very necessary in order to mitigate and manage all the infectious risks related to information security system.
Mitigation measures of Risks in information system are as follows-
· Keep systems updated and patched so that overall risks can be mitigated.
· Apply Pareto analysis in order to identify key security challenges.
· Install proper firewalls scenario in order to mitigate security risks.
Risk management allows organization to identify and manage risks, attacks and unauthorized access. In order to manage risks, risk management framework and procedures are defined within information security mechanism. An effective framework and procedures allows IT security teams to optimize efficiency by consistent control assessments and vulnerability remediation processes. It also accelerates decision-making by providing timely insights and intelligence on information risks and security. Information security risk management framework are built around the core objectives of CIA (confidentiality, integrity, and availability) triad. These procedures ensure that only authorized users can access sensitive data, only reliable and authorized parties can change or modify organizational data and sensitive information can only be read by users who has permission to do so. Some procedures that are used to manage information security risks within an organization are as follows:
· Using different password for different accounts and use more complicated password combining letters, numbers and special characters.
· By using firewall as first line of cyber security,
· Use of anti-virus that helps to protect data from attacks of viruses,
· Ensuring organizations’ social media profiles are set to private, so that only authorized user can access to these accounts.
· A good security culture can be established among employees and identify the awareness of information security within organization as employer behavior have a big impact on information security in organizations.
Organization can manage risks related to information security to large extent by using appropriate risk assessment framework. Access control policy and password control policies are used by the organization to manage the risk associated with information security.
Access Control Policy- This policy plays a dual role in context of information security- context extraction and content classification. This policy ensures that only legitimate user can able access information. Access control strategies are Identification, authorization, and authentication. Identification strategy implies to identify the user who is trying access the information, username stored in the system is helpful for achieving the identification process. Authorization means to verify that the claimed user is not restricted, it is achieved by verifying the stored username in the database with a claimed username. Authentication is achieved by verifying the password. Authentication is used to identify each user and monitor all the connections through the firewall.
Password Policy- by using strong passwords, intruder cannot able access the confidential information of the organization. Password policy is a set of rules that defines- type of password chosen by the user. Following are the specific password policies which should be adopted by an organization such as:
· Minimum length of password should be at least 6.
· one uppercase letter should be required
· at least one lowercase letter should be required
· Password at least require one numeric value
· Password policy only allow legitimate user to change their own password