Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next

Domain 3
Risk Management and Business Continuity Planning

Historically, an organization’s computer systems were centrally located in the company’s data center, and “keeping the train running” was the responsibility of Computer Operations. As such, disaster recovery and contingency planning were also the responsibility of Computer Operations, whose focus was to ensure that business applications on the mainframe were available as required.

Today’s computing environment is far different, more distributed, and as such, much more complex to manage. Business information is dispersed, as local area networks and departmental systems have replaced the monolithic mainframe.

Further, the emphasis on the computer and resident information has given way to an emphasis on ensuring continuity of the processes that keep the business running. Risk management and business continuity planning, therefore, must become critical components of business operations.

In order for managers to make informed decisions about whether to assume, avoid or transfer risk, and implement cost-effective security solutions, it is essential to adopt a methodology that addresses the issues in terms of cost and benefit. Chapter 3-1 assists us in understanding the basics of risk management, compares quantitative and qualitative approaches, and details the intricacies of automated, quantitative risk assessment practices.

Chapter 3-2 focuses on the procedural and management issues of business continuity in the distributed environment, in a manner that can be embraced by persons tasked with managing local area networked and departmental resources.

In Chapter 3-3, the author maps out the business impact assessment process, detailing the five steps required to achieve a practical and cost-effective approach toward planning for business disruptions.

Section 3-1
Risk Analysis

Chapter 3-1-1
Risk Analysis and Assessment

Will Ozier


While there are a number of ways to identify, analyze, and assess risk and considerable discussion of “risk” in the media and among information security professionals, there is little real understanding of the process and metrics of analyzing and assessing risk. Certainly everyone understands that “taking a risk” means “taking a chance,” but a risk or chance of what is often not so clear.

When one passes on a curve or bets on a horse, one is taking a chance of suffering harm/injury or financial loss — an undesirable outcome. We usually give more or less serious consideration to such an action before taking the chance, so to speak. Perhaps we would even go so far as to calculate the odds (chance) of experiencing the undesirable outcome and, further, take steps to reduce the chance of experiencing the undesirable outcome.

In order to effectively calculate the chance of experiencing the undesirable outcome, as well as its magnitude, one must have an awareness of the elements of risk and their relationship to each other. This, in a nutshell, is the process of risk analysis and assessment.

Knowing more about the risk, one is better prepared to decide what to do about it — accept the risk as now assessed (go ahead and pass on the blind curve or make that bet on the horses), or do something to reduce the risk to an acceptable level (wait for a safe opportunity to pass or put the bet money in a savings account with guaranteed interest). This is the process of risk mitigation or risk reduction.

There is a third choice: to transfer the risk, i.e., buy insurance. However prudent good insurance may be, all things considered, having insurance will not prevent the undesirable outcome, it will only serve to make some compensation — almost always less than complete — for the loss. Further, some risks such as betting on a horse are uninsurable.

The processes of identifying, analyzing and assessing, mitigating, or transferring risk is generally characterized as Risk Management. There are thus a few key questions that are at the core of the Risk Management process:

1.  What could happen (threat event)?
2.  If it happened, how bad could it be (threat impact)?
3.  How often could it happen (threat frequency, annualized)?
4.  How certain are the answers to the first three questions (recognition of uncertainty)?

These questions are answered by analyzing and assessing risk.

Uncertainty is the central issue of risk. Sure, one might pass successfully on the curve or win big at the races, but does the gain warrant taking the risk? Do the few seconds saved with the unsafe pass warrant the possible head-on collision? Are you betting this month’s paycheck on a long shot to win? Cost/benefit analysis would most likely indicate that both of these examples are unacceptable risks.

Prudent management, having analyzed and assessed the risks by securing credible answers to these four questions, will almost certainly find there to be some unacceptable risks as a result. Now what? Three questions remain to be answered:

1.  What can be done (risk mitigation)?
2.  How much will it cost (annualized)?
3.  Is it cost effective (cost/benefit analysis)?

Answers to these questions, decisions to budget and execute recommended activities, and the subsequent and ongoing management of all risk mitigation measures — including periodic reassessment — comprise the balance of the Risk Management paradigm.

Information Risk Management is an increasingly complex and dynamic task. In the budding Information Age, the technology of information storage, processing, transfer, and access has exploded, leaving efforts to secure that information effectively in a never-ending catch-up mode. For the risks potentially associated with information and information technology (IT) to be identified and managed cost-effectively, it is essential that the process of analyzing and assessing risk is well understood by all parties and executed on a timely basis. This chapter is written with the objective of illuminating the process and the issues of risk analysis and assessment.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.