Information System Risk Management
Claudia I. Campos
CJA 570 Cyber Crime and Information Systems Security
July 5, 2010
The realization of potential risks to an organizations information system has been increased in the past few years. The principles of risk management, vulnerabilities, internal threats, and external threats is the first step in determining which levels of security are necessary to protect and limit the risks to an organizations information system. This essay will describe the principles of risk management as they pertain to the information system and its associated technology of Professional Security Training School. Moreover, this essay will include an exploration of the vulnerabilities of their system, and specifically address the nature of potential internal and external threats, including natural or unintended events that can jeopardize the system. Finally, it will determine what levels of security are appropriate to secure the information system while allowing a maximum amount of uninterrupted workflow. Information System Risk Management
Businesses realize that the security of their information system is a major part for an organization in the continued pursuit of organizational operations and providing services. The principles of risk management, identification, assessment, and prioritization must be determined by management prior to establish and implementing levels of information system security. In addition, vulnerabilities, internal threats, and external threats must be uncovered and addressed to secure the information system. Establishing different levels of security to secure the information system of Professional Security Training School (PSTS) will limit potential security threats. In analyzing the information system risks of PSTS, decisions must be made to deter or limit potential security threats, which are the client database, staff accessibility, and client privacy. Risk Management Principles
In identifying the risk principles of the information systems for PSTS, management must remember it is a process. Risk management is a team project and should begin by establishing a risk management committee. The risk management committee should involve representatives of management, departments, and information systems. The division of information actions, such as payroll, database, website, and Internet provider should be given to respective department management for the asset identification process. In performing a risk management assessment, the key is to identify the organizations information assets and possible threats to each asset. In addition, the assessment must identify and implement procedures to diminish the threats as well as evaluate the procedures to measure their effectiveness. Regarding prioritization, the risk management committee must determine which risks have a higher priority that require immediate attention, and which risks are at a lower priority. There is a medium level risk that falls in between the high and low levels of risks. In determining higher priority risks, the risk management committee should assess whether the procedures established are sufficient in diminishing the threat, or if higher controls must be developed. Furthermore, once procedures or higher controls have been implemented, the risk management committee must evaluate to determine if threats are minimized or diminished completely. PSTS management has never identified the information risks, or established a risk management committee. The belief of the owner is that because of the small size of the company and the lack of a network, the risks are determined to be low in level. The lack of understanding the risks that the organization runs with client personal information, such as social security numbers, driver’s license numbers, dates of birth, etc., if it is compromised is detrimental to the continued workflow. Moreover, if a client’s personal...
Please join StudyMode to read the full document