Java Reference
In-Depth Information
5.1.1 Risk Management
Risk management is a process that involves three subprocesses:
Risk assessment
Continuous evaluation
Risk mitigation
5.1.1.1 Risk Assessment
Risk assessment is the process through which risks are identiied and their impacts evaluated.
Identiication of risks is the irst and foremost step of risk assessment. During the identiication of
risks, one identiies critical information assets, threats, vulnerabilities, and impacts. Risk assess-
ment involves processes such as asset identiication , threat proiling , and vulnerability assessment . It
is the irst step in the risk management process.
5.1.1.2 Risk Mitigation
Risk mitigation is the next process in risk management. It encompasses the prioritization, imple-
mentation, and continuous maintenance of certain risk-reducing measures, which have been iden-
tiied and evaluated in the risk assessment stage. he risk mitigation process mainly focuses on
prioritizing risks based on their impacts and probabilities and devising controls to ensure that the
risk is mitigated or in the very least reduced.
5.1.1.3 Continuous Evaluation
Once the risks have been assessed and the mitigation plans have been implemented, it is impera-
tive that a particular control or set of controls is continuously evaluated for eiciency and efective-
ness. he inal phase in a successful risk management program comes a full circle in this phase,
where the controls (risk-reducing safeguards) are continuously evaluated over time, and where the
threats and vulnerabilities might constantly be changing and then the circle of risk assessment
comes into play yet again.
hreats, vulnerabilities, and their impacts keep evolving and changing over time and with
advancement of technology or change in the current environment or changing business needs of
the enterprise. For instance, if a new module is added to the organization's existing application,
risk management will have to be performed to understand the efects of the change on the cur-
rent application. A similar series of risk management processes must be repeated to ensure that
any additional risk, which stems from a new module or a changed environment, is adequately
met. Unfortunately, risk is a concept that is often ignored by most organizations. Most people
tend to focus heavily on controls, at their own peril. Controls are derived from the risks identi-
ied, evaluated, and prioritized. If a person did not understand risks, controls would probably be
useless or marginally useful. his decreases the efectiveness and eiciency and results in a false
sense of comfort to the organizations and individuals that are functioning in the false perception
that the controls implemented are functional and efective. Web applications are no diferent. he
present-day Web applications play an integral part in the storage, processing, or transmission of
critical information assets of the organization. Web applications, on the other hand, are also being
Search WWH ::




Custom Search