Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle, introduced in Chapter 1, is an essential part of every IT organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, information security and the discipline of risk management must become an integral part of the economic basis for making business decisions. These …show more content…
4. In risk management strategies, why must periodic review be a part of the process?
It is essential that all three communities of interest conduct periodic management reviews. The first focus of management review is asset inventory. On a regular basis, management must verify the completeness and accuracy of the asset inventory. In addition, organizations must review and verify the threats to and vulnerabilities in the asset inventory, as well as the current controls and mitigation strategies. They must also review the cost effectiveness of each control and revisit the decisions on deployment of controls. Furthermore, managers at all levels must regularly verify the ongoing effectiveness of every control deployed. For example, a sales manager might assess control procedures by walking through the office before the workday starts, picking up all the papers from every desk in the sales department. When the workers show up, the manager could inform them that a fire had been simulated and all of their papers destroyed, and that each worker must now follow the disaster recovery procedures to assess the effectiveness of the procedures and suggest corrections.
5. Why do