A Framework for the Management of Information Security Risks
Autor: peter • December 6, 2012 • Case Study • 1,515 Words (7 Pages) • 1,705 Views
1. Introduction
This paper examines a number of the issues that relate to the
management of risks to information systems or ICT
supported processes. The risk management framework that
is detailed has been developed to meet the requirement for
use by BT on both its internal systems and for development
as a service to its customers.
Before setting out on the development of a framework, a
number of existing methodologies [1—7] were reviewed to
determine whether any of the current frameworks or
methods met the BT requirement for a single, scalable
framework that could be applied to both its own systems and
the full range of systems that belong to its customers. While
many of them partially satisfied the requirement, none of
them fully satisfied the requirement.
In ISO 27001:2005, ‘Information technology —
information security management systems — requirements',
one of the four key process approaches encourages its users
to emphasise the importance of implementing and
operating controls to manage an organisation's information
security risks. Moreover, information security risks must be
managed in the context of the organisation's overall
business risks. The issue of risk is approached in a number of
ways and the approach will be dependent on the type of
organisation and its risk appetite (the level of its willingness
to accept risk).
Risk, in one form or another, is fundamental to all
organisations. All of them are constantly exposed to, and
have to deal with, a range of different types of risk. Some will
embrace risk where they feel that it offers the opportunity
for greater reward, while others are more conservative and
will be considered risk averse. All will seek to ‘treat' the risks
that they identify and will attempt to reduce their exposure
to
...