Assessment 1- Using AS/NZS ISO 31000:2009 Risk Management- Principles and Guidelines, define risk management. Risk management by definition is ‘coordinated activities to direct and control an organisation with regard to risk (Standards Australia 2009, p.2), herein known as ‘the Standard’. The Standard further defines the components which deliver a framework with which organisations can effectively manage risk. There are several principles of risk management which form the basis of this framework. These principles emphasize that the Risk Management process:- • Creates and protects value to the organisation • Is integral to all organisational processes • Forms part of the decision making process • Addresses uncertainty • Is systematic, structured and timely • Is based on the best available information • Is tailored • Takes into account human and cultural factors • Is transparent and inclusive • Is dynamic , iterative and responsive to change and • Facilitates continuous improvement Risk management requires a framework of design, implementation and monitoring to ensure its effectiveness in an organisation, through the development of a risk management plan.
Because the risk can’t be eliminated entirely, the risk management process allows information security program managers to balance the operational and economic costs of protective measures and achieve gains in mission capability (NIST, 2011). Principles and Fundamentals The most effective way to implement risk management is to identify systematically critical assets and operations, as well as vulnerabilities across the agency. Risk is the impact of the realized threat on vulnerability as per the following risk equation: Risk = Threat × Vulnerability × Event Cost. Threat is the likelihood that a particular vulnerability will be successfully attacked over a certain period. Vulnerability is any weakness in a given system whose exploitation leads to a violation well as any non-compliance with any mandated information security requirements.
What is the purpose of a risk assessment? How can hazards be identified? What is risk management Hazard - is the potential to cause harm to person, environment or property Risk - is the severity of harm cased if hazard is not contained Risk Assessment - is the process in which a hazard and the risk is evaluated so that action can be prioritized hazards can be identified by communication between relevant persons in any number of ways Risk Management - is the policy that an organisation puts in place to identify, assess, and implement new procedures to remove or decrease risk. 3. There are a number of key provisions of relevant legislation and regulations from all levels of government that may affect aspects of business operations, such as: * Anti-discrimination legislation.
The DRP would not be a complete document without the BCP. The DRP will note how the business’ functional recovery will be performed. The plan will state compartmentalized recovery strategies for specific systems in a step-by-step method. The purpose of the DRP is to provide a documented means of restoring the integrity of the IT systems and provide a measure of protection against human error. If a disaster strikes, the normal operation of the business is suspended and replaced with the operation noted in the DRP.
Establishing the possibility and type of damage or threats that relates to the sensitive nature of the customer information. 3. Means to control the risks with regards to the direction of the policy and procedures that are created specific to customer information type systems. 4. All steps in the proper disposal of customer’s information should be applied.
These factors consider the organisation’s team and reporting structure, level of support and commitment and the overall impact to the organisation. The factors are then quantified and prioritised based on these criteria then reviewed to ensure the projects do not exceed the organisation’s resource capabilities. The selection criteria may also include return of investment, risks and the time frame, PPM involves a strategic process that allows the decision makers’ to visualise and monitor the performance of each project by taking into account whether the project is performing or underperforming. PPM is gaining interest due to organisations abilities to respond to challenges confronted by a globalised, information-rich, dynamic and competitive environment. PPM has helped project officers negotiate between stakeholders according the to the organisation’s PPM status.
Case 3: HIPAA Security Rules Administrative Safeguards Security Management Process Per the HIPPA, UMC is required to 1. Diagnose, define, and itemize common risks while also respecting the confidentiality, integrity, and availability of the onsite information system in which the EPHI is stored. 2. Implement policies and procedures to prevent, detect, contain, and correct security violations. These may be administrative, physical, or technical – like locking doors to rooms containing EPHI, password protection of workstations or files, and facing monitors away from public areas.
This SOP outlines the organization of the unit safety program and the responsibilities of personnel implementing the safety program. 4. OBJECTIVE. To improve the overall effectiveness of the unit by minimizing personnel and equipment losses. 5.
2. Risk assessment – Involves a thorough assessment which “identify(s) risks, estimate their significance and likelihood, and consider how to manage the risks” (Louwers, Ramsay, Sinason, & Strawser, 2007). 3. Control activities – Involve specific actions which help ensure that management’s objectives and expectations are carried out. 4.
Finally, prioritizing the risks; using both qualified and quantifiable measurements to prioritize the risks collected. In the second phase, Conducting Decision Support, the action items are identifying and evaluating the organization’s available controls. Microsoft highlights the use of the cost-benefit analysis as a good quantitative method (Whitman & Mattord, 2010). The second phase has several steps to it: 1. Defining the functional requirements – what is necessary to mitigate the risks?