Pro+ Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
June 2003

The security risk management lifecycle framework

IT security risk management is best approached as a "lifecycle" of activities, one logically leading into the next. The most important thing to remember is that risk is evolutionary, which means these activities must be continuously repeated and refined. Here's a basic framework of critical steps. Identify Assets You can't secure an asset if you don't know it exists. The first step in risk management involves asset identification, classification and valuation. CISOs are the custodians of information, not the owners. Make sure you work with departmental and business unit leaders to determine an asset's value to the organization. Assess Risk Next comes the difficult part: assessing the overall risk to the asset. There are several formal methods for doing this, including qualitative and quantitative risk analysis. To assess an asset's risk, you have to evaluate three variables: the overall threat to the asset (both inside and outside the organization); its inherent and environmental vulnerability levels; and the cost of loss, ...

Access this Pro+ Content for Free!

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Features in this issue

Columns in this issue