Applying Risk Management
Applying Risk Management
Risk management is an important element in managing information systems. Applying risk management principals to business procedures is essential because it helps organizations design and maintain a safe systems environment to ensure the confidentiality, integrity, and availability of company data. Kudler Fine Foods has expressed an interest in developing an Enterprise Resource Planning (ERP) system. The primary objective is to improve business administration by integrating stores and business systems. Kudler Fine Foods has three stores in California and integrating business functions across all stores would be extremely beneficial. This paper will outline the major factors and benefits by applying risk management principles to ensure a secure and effective system. Risk Management Principles
According to Whitman and Mattord (2010), risk management is a collaborative effort involving Information security, information technology, management, and users. It is important to involve all of these areas to devise a comprehensive and effective risk management strategy. The major principles include identifying risks, quantifying risks, plan for risks, and monitor and manage risks. The first stage is risk identification. This is when the organization's managers identifies all of its assets and classifies them into meaningful categories in addition to prioritizing them by importance. Assets include various components such as people, processes, data, and all elements of information technology. Gathering information on assets such as the people aspect processes, and data could be challenging because they are not always documented and readily available. The information gathered for people may include position titles, the title of his or her supervisor, security levels, and skills. Information collected for processes may include procedure description, purpose, IT connections, document storage location for reference and updates. After listing out the assets, the next step is to classify them into categories such as people, data, software, and hardware and then classify each asset into sub-categories such as confidential, internal, and public. Applying value or impact to each asset is next by determining its criticality to the business. Questions that may help to assigning a value may include; "Which assets generates the highest profitability?", or "Which asset would impede business functions if it were compromised?" Quantifying risks provides the framework for executives to make informed decisions in relation to cost and resources surrounding security. All of the steps outlined above is essential in the risk identification stage (Whitman and Mattord, 2010). After completing the risk identification process where all assets are identified and classified, the next phase is to determine the potential threat source and potential vulnerability. Some common threat sources include natural threats, human threats, and environmental threats. According to the National Institute of Standards and Technology (2002), a threat is an exploitation of a vulnerability caused by a threat source. The NIST publication suggests the following: identifying a threat source, indicating the motivation of source, and outlining the threat actions. This practice will help determine the likelihood of a threat taking advantage of a system vulnerability. Next in the process is identifying vulnerabilities. Vulnerability is a weakness or flaw in procedures or controls applied to a system. Identifying potential vulnerabilities will help an organization put controls in place to mitigate risks associated with vulnerabilities. Risk mitigation involves a systematic approach in reducing the exposure to a risk and the likelihood of it occurring. Mitigating defined risks is the gateway for...
References: Whitman,M.E., & Mattord, H. J. (2010). Management of information security(3rded.). Boston, MA: Course Technology/Cengage Learning
National Institute of Standards and Technology. (2002). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pd
Please join StudyMode to read the full document