19
Prepared for : Professor Dr.Wan Rozaini bt sheik Osman Prepared by : Ali Raad Abdulkareem (808934)
Prepared for :
Professor Dr.Wan Rozaini bt sheik Osman
Prepared by :
Ali Raad Abdulkareem (808934)
INTRODUCTION
WHAT IS RISK MANAGEMENT?
THREATS AND VULNERABILITIES
IMPORTANT OF MANAGING RISK
RISK ASSESSED:
Qualitative Risk Assess
Quantitative Risk Assess
Managing the Risk
CONCLUSION
In each companies, they have some mission to achieves. Presently, the Institutions mostly uses the automated IT system to help them managing their information for support their mission better, managing the risk to protect the organization assets although manage the risk is not an easy task.
All of the organization have their uncertainties problem, therefore it is the IT Professional to manage this uncertainty and help them to manage and understand it more. Manage the uncertainty is not easy, some problems may arise such limited resources, ever-changing the landscape of threats and vulnerabilities so it may make impossible managing the risks.
(Retains, 2006)(Retains, 2006)
Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. A variety of strategies is available, depending on the type of risk and the type of business.
(www.theglobalone.net
)
(www.theglobalone.net
)
Threat is one of the risks. Based on the National Institute of Standards and Technology Special Publication 800-30; Threat means the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
(Gary, Alice and Alexis, 2002)
(Gary, Alice and Alexis, 2002)
Threat-Source means either
a situation and method that may
accidentally trigger a
vulnerability.
intent and method targeted at the
intentional exploitation of a
vulnerability
The other risk that may occur is the vulnerability. Vulnerability is the flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
(en.wikipedia.org
)
(en.wikipedia.org
)
Issue can be in positive or negative. Issue in it field is the problem or may become opportunity that can be effect the IT / business works and projects. Issue is related to the risk. If we can handle and deal with the issue, so it means we can reduce / minimize the risk.
(Chris Chapmen and Stephen Ward, 2009)
(Chris Chapmen and Stephen Ward, 2009)
The risk management is the practice of identifying. Assessing, controlling and mitigation risks. Threats and vulnerabilities are key drivers of risk. Identifying the threat and vulnerabilities that are relevant to the organization is an important step. After that can take action to reduce potential losses from these risks.
Remember, the risk cannot be deleted / eliminated. But, it can be reduces and handle if we identified, evaluated, controlled and reviewed it correctly. So this can be called as the Risk Management.
(Darril Gibson, 2011)
(Darril Gibson, 2011)
How to assess the risk? The question that may arise before managing risk is How to assess the risk?
There are two general process of risk assessment;
1. Qualitative Risk Assess
2. Quantitative Risk Assess
(Retains, 2006)(Retains, 2006)
The quantitative risk assessment is related to the mathematical, number, insurance and finance. Quantitative is used by finance company and insurance company upon draw of the methodologies because it is the standard way to measure the risk especially in many fields such as insurance and finance.
(Retains, 2006)(Retains, 2006)
The Qualitative Risk Assessment will define the risk as the qualitative or subjective terms. In Quality Risk Assessment, the risk can be categorized in “High, Moderate and Low”. But this will make it more difficult to concisely communicate to management. The difficulties that faced by the qualitative Risk Assessment is defining the likelihood and impact values. This is the same as the quantitative risk assessment.
(Retains, 2006)(Retains, 2006)
Risk is common in each project. Every project has risk whether high, medium, and low risk. However note that not all risks can be eliminated completely, most maybe anticipated and managed ahead of time.
(Retains, 2006)(Retains, 2006)
Managing the Risk Strategies
Mitigation Avoidanc
eTransferenc
e
Acceptance
The most common risk management strategy is Mitigation. This strategy is involved in providing some type of compensatory control in order to reduce the likelihood / impact that associated with the flaw. The process of determine the mitigation can be called control analysis.
(Retains, 2006)(Retains, 2006)www.businessdictionnary.com
www.businessdictionnary.com
In other way, the definition of the risk mitigation based on is a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.
This strategy is not widely used in IT field. From the name, it is stated that transference so it means the risk is transfer to the other party. It can conclude that Transference is the process of allowing another party to accept the risk on your behalf.
(Retains, 2006)(Retains, 2006)
The Risk Avoidance strategy is used in risk management for describe an informed decision not to become involved in activities that lead to the possibility of the risk being realized in other word it means avoid the risk. In Information system, the avoidance is means practice of removing the vulnerable aspect of the system or even the system itself.
(Retains, 2006)(Retains, 2006)
The risk acceptance strategy concept is to accept such a known risk, actually many low risks are may simply accepted and also there is cases that even the extremely high cost risk are also accepted. Once accepted, it means that the organization knows exactly what risks their takes and its consequences. So their need to seriously consider, identify, and leveling the risks.
(Retains, 2006)(Retains, 2006)
In any project, there are many risks that can be identified. Risks may harm the project and or can be the opportunity to make the project success. Managing the risk is really important because Risk may make the project failed if we cannot handle and control it. But before we can manage the risks, we should carefully identify, level, and determine the risks.
There are several types that can be risks such as threats, vulnerabilities and issues. There are 2 ways that the risk can be assessed by using the quantity and / or quality assessment risk. And there are 4 strategies to manage the risks; mitigation, avoidance, acceptance and also transference.
http://www.theglobalone.net/2012/04/featured-article-what-is-risk.html
http://en.wikipedia.org/wiki/Vulnerability_%28computing%29
Hetamsaria, Nupur.(2005). Why is risk management important?. Retrieved from: http://www.rediff.com/money/2005/dec/27guest.htm
Importance of Risk Management. (n.d.). In Method123 Ltd. Retrieved from: http://blog.method123.com/2010/09/08/importance-of-risk-management/
Lientz P., Bennet., & Larssen, Lee. (2006). Risk Management for IT Projects: How to deal with over 150 Risks and Issues. UK: Elsevier.inc
Managing Risk. (2010). In Business Link (UK). Retrieved from: http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1074410125&type=RESOURCES
National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems (July 2002) – Page 8, 12, 15.
Risk Acceptance. In ENISAOnline. Retrieved from: http://www.enisa.europa.eu/act/rm/cr/risk-management-inventory/rm-process/risk-acceptance
Schwalbe, K. (2006). Information technology project management (4th ed.). Thompson Learning
