This document addresses risk management assessment in general, and of my organization’s local operational risks in particular. Risk Management Is risk management a game of chance, calculation, or both? An organization rarely knows how or when an attack will come to their information security system. What an organization can do is to prepare for such attacks through knowledge of the various kinds of attacks that are common, and through implementing the appropriate entrepreneurs.
Top Risks The top risks that my organization faces are from within. As an established, nationwide, and internationally-known entertainment services company, we have well-established security protocols and protective measures in place to address a wide variety of security needs areas: physical, for facilities, for hardware, for software, for database access, for personnel, and for information. As such, it seems that our biggest vulnerability is the employees of the company.
An employee can grant physical or virtual access to company resources, knowingly or unknowingly, willfully or unintentionally. The threat can come from “internal attacks from greatest. Mitigation Strategies In our organization, we have well-established information security processes in place: user authentication for secure access to software, databases, and networks; badge access to buildings; security officers stationed at buildings; and anonymously dressed server locations.
As such, our company’s people resources pose the greatest risk for security breach. Our way to help mitigate risk in this area is to keep communication lines open in this area and to continually mandate security knowledge training, with mandatory updates on a regular basis. When the employees are informed of company policy when facing a security matter, they are better equipped to act in the best or right way. In this way knowledge is power – or at least empowerment to act in the best interest of the company’s information security.
Risk Assessment Insights In the table above, an Asset Inventory and Risk Assessment is displayed for our local Customer Care operations. The assets considered are our local IT representative, our contracted security officers, our local HRS representative, our annually-mandated information security training, our Peoples software, our networked servers, our customer services database and application, and our employee database system. The asset value for each is listed based on the annual cost to the company for one local call center operation.
The IT Rep and HRS Rep values are based on annual salary for having one full-time equivalent of each available Monday through Friday. The Security Officer value is based on having two-and-a-half full-time equivalents to cover seven days a week and two shifts per day, except Sundays, on which there is Just one shift. For the soft assets, the value is based on annual licensing fees. Valuation for ACH is based on, not how each asset is intended to function for the benefit of the company, but how each asset actually functions for the benefit of the company.
The priority rating expresses this as well as the potential loss to the company if the asset were missing. The vulnerabilities that could manifest as a result of threats are listed in the threat descriptions. Because of the security measures already in place, most threats are minimal; however, since employees pose the greatest risk – the risk from within, the uncertainty score is highest where employees have shown the most lack of compliance. The controls’ effectiveness is rated by “CE” designation in the table.
The risk value is calculated based on the above formula. The table shows the greatest risk values in the areas that have the greatest ARE score. Since people are the highest vulnerability, the additional controls needed are those associated with shoring-up the people resources. Only one of the needed controls listed is technical; the others are administrative or managerial. Conclusion Risk management is a matter of chance and of calculation. The calculation is in the preparation for the chance of risk or threat to come.