risk management
Aims to accept risks that make sense to take and reduce unacceptable risks
(resolving obstacles)
Risk management process
- Assess risks
- identify risks to manage
- select controls
- implement and test controls
- evaluate controls
risk identification process
- identify threats
- identify vulnerabilities
- estimate likelihood of a threat exploiting vulnerability
threat
any circumstance or event where potential to adversely impact organisational operations, assets, individuals or the nation via unauthorized access, destruction, disclosure or modification information and/or denial of service
Vulnerability
Weaknesses in an information system security procedures, internal controls or implementation that could be exploited by a threat source
Asset
any information resource valued by the organisation
Top 10 threats to information security
- Technology with weak secuirty
- social media attacks
- social engineering
- mobile malware
- third party entry
- neglecting proper configuration
- outdated security software
- Lack of encryption
- corporate data on personal devices
10 security technology
Types of information risks
- IS business risk
- IS security risk
- IS/business continuity risk
- IS/IT audit risk
(Inherent risk, control risk, detection risk)
IS business risk
Likelihood that a business will not achieve its business goals and objectives
Information security risks
Includes risk associated with confidentiality, integrity, availability (including access) to information
IS/business continuity risk
that the information required to meet business needs is available
includes risks associated with and information systems availability and backup and recovery
IS/IT audit risk
Likelihood that an organisations external auditor makes a mistake when issuing an opinion attesting to the fairness of its financial statements or that an IT auditor fails to uncover a material error or fraud
The measure of IS/IT audit risks
Audit risk = Inherent risk * Control risk * detection risk
