Chapter 4

1. Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level.

2. According to Sun Tzu, the two key understandings we must achieve to be successful in battle are Know Yourself and know the enemy. Know yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. This is self-evident. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is in place does not necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective. Know the Enemy Having identified your organization’s assets and weaknesses, you move on to Sun Tzu’s second step: Know the enemy. This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.
3. The information security community is responsible for risk management in a community but all of the communities must show an interest from management and the users.