Security Risk Management Lesson
School of IT&EE, Australian Defence Force Academy, Canberra, Australia
Email: Lawrie.Brown@adfa.edu.au
Abstract
This lesson presents an overview of IT security risk management, including
the critical risk assessment process. This aims to identify threats to,
impacts on, and vulnerabilities of, an organization's information and
information processing facilities. It determines the likelihood of risks
occurring and their consequences, in order that they may be controlled and
minimised at an acceptable cost. Unfortunately, this process is often not
managed well. We include an overview of some key international and national
standards that provide guidance on this process, particularly ISO/IEC 13335
and NIST SP800-30. The lesson concludes with a "simplified case-study",
walking through an example risk assessment for a hypothetical (though based
on actual) organisation, using the process we have described.
References
- William Stallings, Lawrie Brown, "Computer Security: Principles and
Practice", 1/e, Prentice-Hall, 2007.
Ch 16 "IT Security Management and Risk Assessment".
- ISO/IEC, "ISO/IEC 13335-1:2004 - Information technology - Security
techniques - Management of information and communications technology security -
Part 1: Concepts and models for information and communications technology
security management".
- National Institute of Standards and Technology, "Risk Management Guide
for Information Technology Systems", Special Publication 800-30. July 2002.
Copyright © 2007 Lawrie Brown