Risk management is defined as the coordinated activities to direct and control an enterprise with regard to risk. In simple terms, risk can be viewed as a challenge to achieving objectives, and risk management as the activity undertaken to predict challenges and lower their chances of occurring and/or their impact.
Our risk management starts with understanding the organization. Assessing the organization’s context includes evaluating the intent and capability of threats; the relative value of assets or resources and the trust that must be placed in them; and the presence and extent of vulnerabilities that might be exploited to intercept, interrupt, modify or fabricate data in information assets.
Security risk management is a cyclical process. The first step in the security risk management process is the identification of security risks. The risk identification effort serves as the input for the next phase of the process, security risk assessment. The effort to assess and prioritize risk provides management with the data needed for risk response and mitigation, the third phase of the cycle, which seeks and implements cost-effective ways to address the risk that has been identified and assessed. The final phase is risk and control monitoring and reporting, in which controls, risk management efforts and the current risk state are monitored and the results reported back to senior management. The process repeats as the risk environment changes, which may occur a as a result of internal or external factors.
Benefits of Security Risk Assessment include: