Managing IS risk is a daily decision making process aimed at reducing the amount of losses and threats to a company. It is a pro-active approach to reducing exposure to data/information loss and ensuring the integrity of the applications used day-to-day. An IS security plan should include at minimum a description of the various security processes for specified applications, procedural and technical requirements, and the organizational structure to support the security processes. A risk assessment should be performed first. Identifying risks provides guidance on where to focus the security requirements. Security requirements and controls should reflect the business value of the information assets involved and the consequence from failure of security. Security mechanisms should be “cost beneficial”, i.e. not exceed the costs of risk. It should also include expectations for risk within the overall IS security plan.
- 1664 reads