Risk management and evaluation are critical to every enterprise’s strategic planning for information security. 是否存在风险, 是否按业务流程, 人, 物理基础设施, 或者信息系统, 必须进行评估. A security risk evaluation should include assessing the asset’s value to predict the impact and consequence of any damages. But professionals often face challenges when attempting to give assurance to organizations on asset valuation, risk management and control implementation practices. This is due to the nonexistence of clear, universally accepted models and procedures. 幸运的是, 有几个简单的建议, applicable models herein for professionals to use to measure and manage assets, risk and controls implementation in their organizations.
资产识别、估价和分类
识别, valuation and categorization of information systems assets are critical tasks of the process to properly develop and deploy the required security control for the specified IT assets (e.g.(数据,它们的容器). Organizations or individuals able to implement security for assets by using this model must first identify and categorize the organization’s IT assets that need to be protected in the security process.
Mapping an information asset (such as data) to all its critical containers leads to the technology assets, physical records and 人 that are important to storing, 运输和处理资产.1 The map of information assets is used to determine all information assets that reside on a specific container. 除了, the value of a container depends on the data that are processed and transported (through the network) or stored (reside) within that specific container. Security audits should assess how the data or information are processed, 以安全的方式转移和储存.2
风险评估及管理
The risk assessment comprises the qualitative assessment and quantitative measurement of individual risk, 包括它们影响的相互关系. Risk management constitutes a strategy to avoid losses and use available opportunities or, 而, 风险领域可能产生的机会.3 Oftentimes no single strategy can address all IT asset risk areas, 而是, a balanced set of strategies usually provides the most effective solutions. Once the risk areas are identified, they can be evaluated as acceptable or not. 如果风险是可以接受的, no further actions are required other than communicating and monitoring the risk, 但如果风险不可接受, it must be controlled through 4 separate options of prevention and/or mitigation measures:
- 减少影响.
- 降低可能性.
- Transfer the risk (to insurance or a subcontractor).
- 避免风险. (Temporarily distancing the target from the 威胁 summarizes the potential impact definitions for the security objectives.)
Oftentimes no single strategy can address all IT asset risk areas, 而是, a balanced set of strategies usually provides the most effective solutions.
结论
The first step toward information security planning and security control implementation is to manage the risk and valuation of an organization’s IT assets. Objectively measuring concepts such as vulnerability, 威胁, 风险的影响, mitigated risk and implemented control of an asset can be the most difficult part of the process. This is because a lack of uniformity on subjective judgments during the rating selection (high, 低, medium) and the quality and accuracy of the results are highly dependent on the assessors’ professional experience. The models described here can minimize error and introduce uniformity of activities and process results carried out by different individuals and their organizations.
编者按
This article is excerpted from an article that was published in the ISACA® 杂志. 阅读全文。”IT Asset Valuation, Risk Assessment and Control 实现 Model,在vol中. 3、2017年的 ISACA杂志.
尾注
1 Caralli R. A.; J. F. Stevens; L. R. Young; W. R. Wilson; “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process,” Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, May 2007
2 奥利维亚。”Difference Between Information System Audit and Information Security Audit”差异.com, 2011年4月16日
3 这位设计师,F., “Information Asset Valuation Method for 信息技术 Security Risk Assessment,” Proceedings of the World Congress on Engineering 2008, vol. I
Shemlse Gebremedhin Kassa, CISA, CEH
是United Bank S的系统和IT审计员吗.C. and a security consultant for MASSK Consulting in Ethiopia. He has a multidisciplinary academic and practicum background in business and IT with more than 10 years of experience in accounting, 预算, 审计, controlling and security consultancy in the banking and financial industries. Kassa is highly motivated and engaged in IT security projects and research, and he strives to update current systems and IT audit developments to keep up with the dynamically changing world and ever-increasing challenge of cybercrimes and hacking. He has published articles in local and international journals including the ISACA杂志.