A Practical Approach to Managing Information System Risk

The mantra spinning around in the heads of most security managers affirms that managing security is about managing risk. Although they know this is the right approach, and they understand the importance of balance in designing and implementing security controls, many of them—including me—came up through the ranks of network engineering, programming, or some other technical discipline. While this prepared us for the technology side of our jobs, the skills necessary to assess and understand business risk arising from the use of information systems were not sufficiently developed.

The purpose of this paper is to provide security managers with a working understanding of risk management as it applies to information systems. The processes and tools included assume that organization- and enterprise-level controls are already functioning, and implementation of the target system is taking place within this existing security context.

I begin by exploring the challenges facing security managers every day when trying to balance security with the needs of business managers to maintain and improve operational effectiveness. I then define risk management and provide an overview of how to strategically approach the application of reasonable and appropriate safeguards. Finally, I provide a model and related tools for conducting a risk assessment, selecting the right controls, obtaining approval for implementation, and managing risk throughout the target system’s lifetime.