Editing Information security (section)

== Risk management ==
{{Main|Risk management}}

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset).<ref>{{Cite journal|last1=Sodjahin|first1=Amos|last2=Champagne|first2=Claudia|last3=Coggins|first3=Frank|last4=Gillet|first4=Roland|date=2017-01-11|title=Leading or lagging indicators of risk? The informational content of extra-financial performance scores |url=http://dx.doi.org/10.1057/s41260-016-0039-y|journal=Journal of Asset Management|volume=18|issue=5|pages=347–370 |doi=10.1057/s41260-016-0039-y|s2cid=157485290|issn=1470-8272}}</ref> A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man-made or [[natural disaster|act of nature]]) that has the potential to cause harm.<ref>{{Cite journal|last=Reynolds|first=E H|date=1995-07-22|title=Folate has potential to cause harm |url=http://dx.doi.org/10.1136/bmj.311.6999.257|journal=BMJ|volume=311|issue=6999|pages=257|doi=10.1136/bmj.311.6999.257|pmid=7503870|issn=0959-8138|pmc=2550299}}</ref> The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact.<ref>{{Citation|last=Randall|first=Alan|title=Harm, risk, and threat|url=http://dx.doi.org/10.1017/cbo9780511974557.003|work=Risk and Precaution|year=2011|pages=31–42|place=Cambridge |publisher=Cambridge University Press|doi=10.1017/cbo9780511974557.003|isbn=978-0-511-97455-7|access-date=2021-05-29}}</ref> In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property).<ref name="GramaLegal14">{{cite book |url=https://books.google.com/books?id=kqoyDwAAQBAJ&pg=PT38 |title=Legal Issues in Information Security |author=Grama, J.L. |publisher=Jones & Bartlett Learning |pages=550 |year=2014 |isbn=9781284151046}}</ref>

The ''[[Certified Information Systems Auditor]] (CISA) Review Manual 2006'' defines '''risk management''' as "the process of identifying [[vulnerability (computing)|vulnerabilities]] and [[threat (computer)|threats]] to the information resources used by an organization in achieving business objectives, and deciding what [[Countermeasure (computer)|countermeasures]],<ref>{{Cite book|last=Cannon|first=David L.|title=CISA: Certified Information Systems Auditor Study Guide|date=2016-03-04|isbn=9781119056249 |edition=Fourth|pages=139–214|chapter=Audit Process|doi=10.1002/9781119419211.ch3|chapter-url=http://dx.doi.org/10.1002/9781119419211.ch3}}</ref> if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."<ref>{{cite book|title=CISA Review Manual 2006|publisher=Information Systems Audit and Control Association|year=2006|isbn=978-1-933284-15-6|page=85}}</ref>

There are two things in this definition that may need some clarification. First, the ''process'' of risk management is an ongoing, iterative [[Business process|process]]. It must be repeated indefinitely. The business environment is constantly changing and new [[threat (computer)|threats]] and [[vulnerability (computing)|vulnerabilities]] emerge every day.<ref>{{Cite journal|last=Kadlec |first=Jaroslav|date=2012-11-02|title=Two-dimensional process modeling (2DPM) |url=http://dx.doi.org/10.1108/14637151211283320 |journal=Business Process Management Journal|volume=18|issue=6|pages=849–875 |doi=10.1108/14637151211283320|issn=1463-7154}}</ref> Second, the choice of [[countermeasure (computer)|countermeasures]] ([[security controls|controls]]) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.<ref>{{Citation|title=All Countermeasures Have Some Value, But No Countermeasure Is Perfect |url=http://dx.doi.org/10.1007/0-387-21712-6_14|work=Beyond Fear|year=2003|pages=207–232|place=New York|publisher=Springer-Verlag |doi=10.1007/0-387-21712-6_14|isbn=0-387-02620-7|access-date=2021-05-29}}</ref> Furthermore, these processes have limitations as security breaches are generally rare and emerge in a specific context which may not be easily duplicated.<ref>{{Cite journal |date=October 2017|title=Data breaches: Deloitte suffers serious hit while more details emerge about Equifax and Yahoo |url=http://dx.doi.org/10.1016/s1361-3723(17)30086-6|journal=Computer Fraud & Security|volume=2017|issue=10|pages=1–3 |doi=10.1016/s1361-3723(17)30086-6|issn=1361-3723}}</ref> Thus, any process and countermeasure should itself be evaluated for vulnerabilities.<ref>{{cite journal|last=Spagnoletti|first=Paolo|author2=Resca A.|title=The duality of Information Security Management: fighting against predictable and unpredictable threats|journal=Journal of Information System Security|year=2008 |volume=4|issue=3|pages=46–62|url=http://eprints.luiss.it/955/}}</ref> It is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called "residual risk".<ref>{{Cite journal|last1=Yusoff|first1=Nor Hashim|last2=Yusof |first2=Mohd Radzuan|date=2009-08-04|title=Managing HSE Risk in Harsh Environment|url=http://dx.doi.org/10.2118/122545-ms |journal=All Days|publisher=SPE|doi=10.2118/122545-ms}}</ref>

A [[risk assessment]] is carried out by a team of people who have knowledge of specific areas of the business.<ref>{{Cite thesis |title=Sold out: how Ottawa's downtown business improvement areas have secured and valorized urban space |url=http://dx.doi.org/10.22215/etd/2010-09016|publisher=Carleton University|first=Wesley|last=Baxter|year=2010 |doi=10.22215/etd/2010-09016}}</ref> Membership of the team may vary over time as different parts of the business are assessed.<ref>{{Cite web|last1=de Souza|first1=André|last2=Lynch|first2=Anthony|date=June 2012|title=Does Mutual Fund Performance Vary over the Business Cycle?|url=http://dx.doi.org/10.3386/w18137|location=Cambridge, MA|doi=10.3386/w18137|s2cid=262620435 }}</ref> The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use [[Statistics|quantitative]] analysis.

Research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human.<ref>{{cite book|last1=Kiountouzis| first1=E.A.|last2=Kokolakis|first2=S.A.|title=Information systems security: facing the information society of the 21st century|publisher=Chapman & Hall, Ltd.|location= London|isbn=978-0-412-78120-9| date=1996-05-31}}</ref> The [[ISO/IEC 17799|ISO/IEC 27002:2005]] Code of practice for [[information security management]] recommends the following be examined during a risk assessment:
* [[security policy]],
* [[organization]] of information security,
* [[asset management]],
* [[human resources]] security,
* physical and [[environmental security]],
* [[communications]] and operations management,
* [[access control]],
* information systems acquisition, development, and maintenance,
* information security [[incident management]],
* business continuity management
* regulatory compliance.

In broad terms, the risk management process consists of:<ref name="NewsomeAPract13">{{cite book |title=A Practical Introduction to Security and Risk Management |author=Newsome, B. |publisher=SAGE Publications |pages=208 |year=2013 |isbn=9781483324852}}</ref><ref name="WhitmanManage16">{{cite book |title=Management of Information Security |author1=Whitman, M.E.|author2=Mattord, H.J. |publisher=Cengage Learning |edition=5th |pages=592 |year=2016 |isbn=9781305501256}}</ref>
# Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.<ref>{{Citation|date=2013-03-20|url=http://dx.doi.org/10.4324/9780080958392-20|work=Illustrated Theatre Production Guide|pages=203–232|publisher=Routledge|doi=10.4324/9780080958392-20|isbn=978-0-08-095839-2|access-date=2021-05-29|title=Hardware, Fabrics, Adhesives, and Other Theatrical Supplies}}</ref>
# Conduct a [[threat assessment]]. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.<ref>{{Citation|last=Reason|first=James|title=Perceptions of Unsafe Acts|date=2017-03-02|url=http://dx.doi.org/10.1201/9781315239125-7|work=The Human Contribution|pages=69–103|publisher=CRC Press|doi=10.1201/9781315239125-7|isbn=978-1-315-23912-5|access-date=2021-05-29}}</ref>
# Conduct a [[vulnerability assessment]], and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, [[physical security]], [[quality control]], technical security.<ref>{{Citation|title=Information Security Procedures and Standards|date=2017-03-27|url=http://dx.doi.org/10.1201/9781315372785-5|work=Information Security Policies, Procedures, and Standards|pages=81–92|location=Boca Raton, FL|publisher=Auerbach Publications|doi=10.1201/9781315372785-5|isbn=978-1-315-37278-5|access-date=2021-05-29}}</ref>
# Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis.<ref>{{Cite journal|title=Figure S1: Analysis of the prognostic impact of each single signature gene |journal=PeerJ|date=25 June 2020|volume=8|pages=e9437 |doi=10.7717/peerj.9437/supp-1|last1=Zhuang|first1=Haifeng|last2=Chen|first2=Yu|last3=Sheng|first3=Xianfu|last4=Hong|first4=Lili |last5=Gao|first5=Ruilan|last6=Zhuang|first6=Xiaofen |doi-access=free }}</ref>
# Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.<ref>{{Cite journal|last1=Standaert|first1=B.|last2=Ethgen|first2=O.|last3=Emerson|first3=R.A.|date=June 2012|title=CO4 Cost-Effectiveness Analysis - Appropriate for All Situations?|journal=Value in Health|volume=15|issue=4|pages=A2 |doi=10.1016/j.jval.2012.03.015|issn=1098-3015|doi-access=free}}</ref>
# Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.<ref>{{Cite journal|date=November 1996|title=GRP canopies provide cost-effective over-door protection|url=http://dx.doi.org/10.1016/s0034-3617(96)91328-4|journal=Reinforced Plastics|volume=40|issue=11|pages=8 |doi=10.1016/s0034-3617(96)91328-4|issn=0034-3617}}</ref>

For any given risk, management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business.<ref>{{Cite web|title=Figure 2.3. Relative risk of being a low performer depending on personal circumstances (2012)|url=http://dx.doi.org/10.1787/888933171410|access-date=2021-05-29 |doi=10.1787/888933171410}}</ref> Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or outsourcing to another business.<ref name=SP80030>{{cite web|url=https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01 |title=NIST SP 800-30 Risk Management Guide for Information Technology Systems |year=2002 |doi=10.6028/NIST.SP.800-30 |access-date=18 January 2022|last1=Stoneburner |first1=Gary |last2=Goguen |first2=Alice |last3=Feringa |first3=Alexis }}</ref> The reality of some risks may be disputed. In such cases leadership may choose to deny the risk.<ref>{{Citation|title=May I Choose? Can I Choose? Oppression and Choice |work=A Theory of Freedom|year=2012|publisher=Palgrave Macmillan|doi=10.1057/9781137295026_4 |isbn=978-1-137-29502-6 |last1=Welch |first1=Shay |pages=53–72 }}</ref>

=== Security controls ===
{{Main|security controls}}
Selecting and implementing proper security controls will initially help an organization bring down risk to acceptable levels.<ref>{{Cite journal|last=Parker|first=Donn B.|date=January 1994|title=A Guide to Selecting and Implementing Security Controls |url=http://dx.doi.org/10.1080/10658989409342459|journal=Information Systems Security|volume=3|issue=2|pages=75–86 |doi=10.1080/10658989409342459|issn=1065-898X}}</ref> Control selection should follow and should be based on the risk assessment.<ref>{{Cite journal|last1=Zoccali|first1=Carmine|last2=Mallamaci|first2=Francesca|last3=Tripepi|first3=Giovanni|date=2007-09-25 |title=Guest Editor: Rajiv Agarwal: Cardiovascular Risk Profile Assessment and Medication Control Should Come First |url=http://dx.doi.org/10.1111/j.1525-139x.2007.00317.x|journal=Seminars in Dialysis|volume=20|issue=5|pages=405–408 |doi=10.1111/j.1525-139x.2007.00317.x|pmid=17897245|s2cid=33256127|issn=0894-0959}}</ref> Controls can vary in nature, but fundamentally they are ways of protecting the confidentiality, integrity or availability of information. [[ISO/IEC 27001]] has defined controls in different areas.<ref>{{Cite book|url=http://dx.doi.org/10.3403/9780580829109|title=Guide to the Implementation and Auditing of ISMS Controls based on ISO/IEC 27001|date=2013-11-01|publisher=BSI British Standards|isbn=978-0-580-82910-9 |location=London|doi=10.3403/9780580829109}}</ref> Organizations can implement additional controls according to requirement of the organization.<ref name="JohnsonSecurity15">{{cite book |url=https://books.google.com/books?id=X7SYBAAAQBAJ&pg=PA9 |title=Security Controls Evaluation, Testing, and Assessment Handbook |author=Johnson, L. |publisher=Syngress |pages=678 |year=2015 |isbn=9780128025642}}</ref> [[ISO/IEC 27002]] offers a guideline for organizational information security standards.<ref>{{Citation|title=Information technology. Security techniques. Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 |url=http://dx.doi.org/10.3403/30310928|publisher=BSI British Standards|doi=10.3403/30310928|access-date=2021-05-29}}</ref>