Tuesday, September 15, 2009

Risk Management: Week 6


1.What is the best value that should be assessed when evaluating the worth of an information asset to the organization - replacement cost or lost income while repairing or replacing?

The best value that should be assessed while evaluating the worth of an information asset depends on the type of organization and the type of information assets it uses. Both aspects can be equally important depending on the type of job an organization does. A business may have an information asset that generates a lot of revenue, for some organizations, a lot of revenue depends on a particular asset, they may also be important to service delivery. In such cases, lost income is important. In other cases, organizations may be carrying unique assets that are highly valuable. Such machines/assets may be worth more than their cost as spare parts for such machines may not be easily available. In such cases, replacement costs need to be taken into consideration.

2. What is the likelihood value of a vulnerability that no longer must be considered?

Likelihood is defined as “the probability that a specific vulnerability within an organization will be successfully attacked”. While performing risk assessment, a numeric value is assigned to vulnerability, the stronger the vulnerability, the number assigned will be closed to 1.0 and vice versa. Therefore, the value of a vulnerability that no longer must be considered will be close to zero as chances of the vulnerability exisiting is zilch.

3. In what instances is baselining or benchmarking superior to cost benefit analysis?

Benchmarking is defined as ‘the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization’. Baselining is related to the concept of benchmarking where a ‘value or profile of a performance metric can be compared with changes in the performance metric’. Cost benefit Analysis on the other hand is an analysis of ‘the worth of the information asset to be protected and the loss in value if those information assets were compromised by the exploitation of a specific vulnerability. By using CBA (Cost Benefit Analysis), companies can determine whether or not an information asset is worth protection and if so, how much it is going to cost to place sufficient controls in order to protect the organization from threats and vulnerabilities. Baselining or benchmarking is viewed as superior to cost benefit analysis in cases where organisations want information regarding the performance of their company compared to another, it can be used to determine strategic areas of opportunity rather than just getting the financial value of information and whether or not it is acceptable to implement security as an acceptable percentage of that value.

4. How can we find out what an organization's risk appetite is? Why is this important?

Risk appetite is defined as ‘the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility’. Each organization has different views and they view risk differently. It is difficult to determine what an organizations risk appetite is unless one speaks to senior level management about this issue. The level of risk appetite also depends upon the type of work a company does. If it is a government organization, the risk appetite may be very low whereas if it’s a small business owner, the risk appetite may be high. It is important to know what the risk appetite of an organization is so that proper security measures can be put in place according to the needs, wants and budget of the business organization.
-------------------------------------------------------------------------------------------------
Notes on understanding the Chapter:
This chapter was a bit more technical with lots of IT terms that were used, other than that, once i had read the chapter thoroughly, I was able to make a basic understanding of risk management.

No comments:

Post a Comment