IT Risk Management, Network Engineering

6 atomic elements of infosec

  1. Confidentiality, is the protection of personal information. Confidentiality means keeping a client’s information between you and the client, and not telling others including co-workers, friends, family, etc.
  2. Restricting access to data
  • Protecting against unauthorized disclosure of existence of data
    • g., allowing industrial spy to deduce nature of clientele by looking at directory names
    • Protecting against unauthorized disclosure of details of data
    • g., allowing 13-yr old girl to examine HIV+ records in Florida clinic
  1. Possession or Control, is the control a person intentionally exercises toward a thing. In all cases, to possess something, a person must have an intention to possess it.

Selecting proper controls and implementing those will initially help an organization to bring down risk to acceptable levels. Control selection should follow and should be based on the risk assessment. Controls can vary in nature but fundamentally they are ways of protecting the confidentiality, integrity or availability of information.

  1. Control over information
  • Preventing physical contact with data
    • g., case of thief who recorded ATM PINs by radio (but never looked at them)
    • Preventing copying or unauthorized use of intellectual property
    • g., violations by software pirates
  1. Confidentiality and Possession Losses
  • Locating
  • Disclosing
  • Observing, monitoring, and acquiring
  • Copying
  • Taking or controlling
  • Claiming ownership or custodianship
  • Inferring
  • Exposing to all of the other losses
  • Endangering by exposing to any of the other losses
  • Failure to engage in or to allow any of the other losses to occur when instructed to do so
  1. Integrity, is a concept of consistency of actions, values, methods, measures, principles, expectations, and morals. Integrity is a personal choice, an uncompromising and predictably consistent commitment to honor moral, ethical, spiritual and artistic values and principles.

In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.

Internal consistency, validity, fitness for use

  • Avoiding physical corruption
    • g., database pointers trashed or data garbled
  • Avoiding logical corruption
    • g., inconsistencies between order header total sale & sum of costs of details
  1. Authenticity, is an integral component of information security. In the field of information security, as well as in the fields of e-Business and computing, it is of great importance to ensure the genuineness of physical or electronic documents, communications, transactions, and data.

In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be. Some information security systems incorporate authentication features such as “digital signatures”, which give evidence that the message data is genuine and was sent by someone possessing the proper signing key.

  1. Correspondence to intended meaning
  • Avoiding nonsense
    • g., part number field actually contains cost
  • Avoiding fraud
    • g., sender’s name on e-mail is changed to someone else’s
  1. Integrity & Authenticity Losses
  • Insertion, use, or production of false or unacceptable data
  • Modification, replacement, removal, appending, aggregating, separating, or reordering
  • Misrepresentation
  • Repudiation (rejecting as untrue)
  • Misuse or failure to use as required
  1. Availability,

Availability refers, unsurprisingly, to the availability of information resources.  An information system that is not available when you need it is almost as bad as none at all.  It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure.

Ensuring that information systems and the necessary data are available for use when they are needed. Traditionally, computer systems were made available for staff use by the IT department in the early morning, and then closed down again by the IT staff before running their ‘End of Day’ routines. Availability was thus the poor relation of Confidentiality and Integrity in security terms. However the extension of the working day (for example because of trading with different time zones) and the growth of 24×7 systems, associated with e.g. web sites, Internet (on-line) trading, cash point machines, coupled with the threats of viruses and intrusions means that availability has become a much more important element of Information Security work.

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.

Timely access to data

  • Avoid delays
    • g., prevent system crashes & arrange for recovery plans
    • Denial-of-service (DoS) attacks can be ruinous
    • High-volume commercial sites can lose $M
  • Avoid inconvenience
    • g., prevent mislabeling of files
  1. Utility

A specialised program designed for more technical users as a tool, or set of tools, for checking the system, housekeeping, monitoring system health/status, repairing files, etc.  Access to utility programs by non-technical users should be restricted.

Usefulness for specific purposes

  • Avoid conversion to less useful form
    • g., replacing dollar amounts by foreign currency equivalent
  • Prevent impenetrable coding
    • g., employee encrypts source code and “forgets” decryption key.
IT Risk Management, Network Engineering

Classic Triad

The CIA Triad is a venerable, well-known model for security policy development, used to identify problem areas and necessary solutions for information security.

In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals. For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) as the core principles of information security.

CIA refers to Confidentiality, Integrity and Availability. Confidentiality of information, integrity of information and availability of information. Many security measures are designed to protect one or more facets of the CIA triad.


Confidentiality refers to limiting information access and disclosure to authorized users — “the right people” — and preventing access by or disclosure to unauthorized ones — “the wrong people.”  Authentication methods like user-IDs and passwords, that uniquely identify data systems’ users and control access to data systems’ resources, underpin the goal of confidentiality.

Confidentiality is related to the broader concept of data privacy — limiting access to individuals’ personal information.

When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. Information has value, especially in today’s world. Bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has information they wish to keep a secret. Protecting such information is a very major part of information security.

A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information. Encryption is VERY widespread in today’s environment and can be found in almost every major protocol in use. A very prominent example will be SSL/TLS, a security protocol for communications over the internet that has been used in conjunction with a large number of internet protocols to ensure security. Other ways to ensure information confidentiality include enforcing file permissions and access control list to restrict access to sensitive information.


Integrity refers to the trustworthiness of information resources. It includes the concept of “data integrity” — namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity.  It also includes “origin” or “source integrity” — that is, that the data actually came from the person or entity you think it did, rather than an imposter.

Integrity can even include the notion that the person or entity in question entered the right information — that is, that the information reflected the actual circumstances (in statistics, this is the concept of “validity”) and that under the same circumstances would generate identical data (what statisticians call “reliability”).

On a more restrictive view, however, integrity of an information system includes only preservation without corruption of whatever was transmitted or entered into the system, right or wrong.

Integrity of information refers to protecting information from being modified by unauthorized parties.

Information only has value if it is correct. Information that has been tampered with could prove costly. For example, if you were sending an online money transfer for $100, but the information was tampered in such a way that you actually sent $10,000, it could prove to be very costly for you.

As with data confidentiality, cryptography plays a very major role in ensuring data integrity. Commonly used methods to protect data integrity includes hashing the data you receive and comparing it with the hash of the original message. However, this means that the hash of the original data must be provided to you in a secure fashion. More convenient methods would be to use existing schemes such as GPG to digitally sign the data.


Availability of information refers to ensuring that authorized parties are able to access the information when needed. Availability refers, unsurprisingly, to the availability of information resources.  An information system that is not available when you need it is almost as bad as none at all.  It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure.

A modern medical center has a near-total dependency on functioning information systems.  We literally could not operate without them. Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate). While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link.  (Again, that’s why your ability and willingness to use our data systems securely is critical.)

Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by DDoS attacks. The primary aim of DoS attacks is to deny users of the website access to the resources of the website. Such downtime can be very costly. Other factors that could lead to lack of availability to important information may include accidents such as power outages or natural disasters such as floods.

How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the damage caused by damage to hard drives or natural disasters. For information services that is highly critical, redundancy might be appropriate. Having a off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce the downtime in case of anything happens.


The CIA triad is a very fundamental concept in security. Often, ensuring that the three facets of the CIA triad is protected is an important step in designing any secure system. However, it has been suggested that the CIA triad is not enough. Alternative models such as the Parkerian hexad (Confidentiality, Possession or Control, Integrity, Authenticity, Availability and Utility) have been proposed. Other factors besides the three facets of the CIA triad are also very important in certain scenarios, such as non-repudiation. There have been debates over the pros and cons of such alternative models, but it is a post for another time.

IT Risk Management, Network Engineering

The four documents that need to be prepared in implement contingency planning

  1. Business Impact Analysis. The entire planning process begins with an assessment of the risks associated with these The first function in the development of the CP process is the business impact analysis (BIA). A BIA is an investigation and assessment of the impact that various attacks can have on the organization. The BIA takes up where the risk assessment process leaves off. It begins with the prioritized list of threats and vulnerabilities identified in the risk management process and adds critical information. The BIA is a crucial component of the initial planning stages because it provides detailed scenarios of the potential impact each attack could have on the organization.
  2. Incident Response Plan. The actions an organization can and perhaps should take while the incident is in progress should be defined in a document referred to as the incident response (IR) plan. An incident is any clearly identified attack on the organization’s information assets that would threaten the assets’ confidentiality, integrity, or availability. The IR plan deals with the identification, classification, response, and recovery from an incident. The IR plan provides answers to questions victims might pose in the midst of an incident, for example, “What do I do now?” As was noted in the opening scenario, the IT organization was ready to respond to the unusual events that had alerted JJ to an unusual situation. In that example, a simple process is used, based on documented procedures that were prepared in For another example, a systems administrator may notice that someone is copying information from the server without authorization, signaling violation of policy by a potential hacker or an unauthorized employee. What should the administrator do first? Whom should they contact? What should they document? The IR plan supplies the answers.
  3. Disaster Recovery Plan. The most wisely implemented form of mitigation strategy is the disaster recovery plan. A disaster recovery (DR) plan deals with the preparation for and recovery from a disaster, whether natural or man-made. Although media backup strategies are an integral part of the disaster recovery plan, the overall program includes the entire spectrum of activities used to recover from an incident. The DR plan can include strategies to limit losses before and during the disaster. These strategies are fully deployed once the disaster has stopped. DR plans usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede. The DR planning and IR planning (IRP) development processes overlap to a degree. In many regards, the DR plan is the subsection of the IR plan that covers disastrous events. The IR plan is also flexible enough to be useful in situations that are near disasters but still require coordinated, planned actions. While some DRP and IRP decisions and actions are the same, their urgency and results can differ dramatically. DRP focuses more on preparations completed before and actions taken after the incident, whereas IRP focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, also concrete actions.
  4. Business Continuity Plan. The third type of planning within the mitigation strategy is business continuity planning (BCP). A business continuity (BC) plan is a document that expresses how an organization ensures that critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site if a catastrophic incident or disaster occurs. The BC plan is the most strategic and long term of the three plans. It encompasses the continuation of business activities if a catastrophic event occurs, such as the loss of an entire database, building, or operations center. The BCP development process includes planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore Many companies offer services as a contingency against disastrous events such as fires, floods, earthquakes, and most natural disasters.

Example: this is the four contingency plans documents for Australian zoo

  1. Specific disease contingency plans that document the strategies to be followed in order to detect, contain and eliminate the disease.
  2. Standard operating procedures for activities and programmes that may be common to several or all emergency disease campaigns.
  3. Enterprise manuals that set out zoosanitary guidelines for enterprises that may be involved in an emergency animal disease outbreak.
  4. Simple job description cards for individual officers.

These plans should be written in straight-forward language that can be understood and followed by all those who have to implement them. There is no need to replicate the last three sets of documents in the specific disease contingency plans. There should, however, be cross-referencing.

IT Risk Management, Network Engineering

Seven sections that will be responsible to implement IT risk management

  1. Senior Management. Senior management, under the standard of due care and ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.
  2. Chief Information Officer (CIO). The CIO is responsible for the agency’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program
  3. System and Information Owners. The system and information owners are responsible for ensuring that proper cont rols are in place to address integrity, confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system  enhancement, major changes to the software and hardware). The system and information owners must therefore understand their role in the risk management process and fully support this process.
  4. Business and Functional Managers. The managers responsible for business operations and IT procurement process must take an active role in the risk management process. These managers are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.
  5. IT security program managers and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis.
  6. IT Security Practitioners. IT security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts; security consultants) are responsible for proper implementation of security requirements in their IT systems. As changes occur in the existing IT system environment (e.g., expansion in network connectivity, changes to the existing infrastructure and organizational policies, introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems.
  7. Security Awareness Trainers (Security/Subject Matter Professionals).

The organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users

As part of information security, risk management is the process used to identify and then control risks to an organization’s information assets. While this process is an expected responsibility for managers in all organizations, information security managers are usually tasked with many of the risk management responsibilities in the information technology areas of an organization’s operations. Very often, the CIO of an organization delegates many accountabilities for risk management to the CISO. It is almost certain that the CIO involves the information security function of the organization in IT risk management activities.

The organizational structure base

  1. Senior management, the mission owners, who make decisions about the IT security budget.
  2. Federal Chief Information Officers, who ensure the implementation of risk management for agency IT systems and the security provided for these IT systems.
  3. The Designated Approving Authority (DAA), who is responsible for the final decision on whether to allow operation of an IT system.
  4. The IT security program manager, who implements the security program.
  5. Information system security officers (ISSO), who are responsible for IT security.
  6. The Designated Approving Authority (DAA), who is responsible for the final decision on whether to allow operation of an IT system.
  7. The IT security program manager, who implements the security program
  8. Information system security officers (ISSO), who are responsible for IT security.
  9. IT system owners of system software and/or hardware used to support IT functions.
  10. Information owners of data stored, processed, and transmitted by the IT systems.
  11. Business or functional managers, who are responsible for the IT procurement process.
  12. Technical support personnel (e.g., network, system, application, and database administrators; computer specialists; data security analyst), who manage and administer security for the IT systems.
  13. IT system and application programmers, who develop and maintain code that could affect system and data integrity.
IT Risk Management, Network Engineering

Contingency Planning

Contingency planning is an ongoing process and the planning process is often as important as the plan itself. Contingency planning is the responsibility of all levels of the organization. The IT contingency planning identifies fundamental planning principles and practices to help personnel develop and maintain effective IT contingency plans. The principles meet most organizational needs, however, each organization may have additional requirements specific to its own processes. Contingency planning is usually considered to be part of the risk management program within organizations.

Contingency planning aims to prepare an organization to respond well to an emergency and its potential humanitarian impact. Developing a contingency plan involves making decisions in advance about the management of human and financial resources, coordination and communications procedures, and being aware of a range of technical and logistical responses. Such planning is a management tool, involving all sectors, which can help ensure timely and effective provision of humanitarian aid to those most in need when a disaster occurs.

IT Risk Management, Network Engineering

The Importance to implement Information Technology (IT) risk management

Information technology (IT) is a critical component in achieving company’s strategy, without effective IT risk management, the value of deal could be threatened or even eroded. IT risk management is a multidisciplinary undertaking and covers a variety of functional domains.

Some risks-taking is inevitable if an organization is to achieve its objectives. Those organizations that are more risk aware appreciate that actively managing not only potential problems (threats) but also potential opportunities provides them with a competitive advantage. Taking and managing risk is the very essence of business survival and growth.

Effective risk management is likely to improve performance against objectives by contributing to fewer sudden shocks and unwelcome surprises, more efficient use of resources, reduced waste, reduced fraud, better service delivery, reduction in management time spent fire-fighting, better management of contingent and maintenance activities, lower cost of capital, improved innovation, increased likelihood of change initiatives being achieved, more focus internally on doing the right things properly, more focus externally to shape effective strategies, many of these benefits are applicable to both the private and public sectors.

            Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives.

Take the case of home security, for example. Many people decide to have home security systems installed and pay a monthly fee to a service provider to have these systems monitored for the better protection of their property.


IT Risk Management, Network Engineering

How do we control the risk and explanation the four risk control strategies.

We must first start by identifying and clearly understanding the associated risks. In order to identify risks the whole process must be evaluated from start to finish. For example: A manufacturer of automotive parts should evaluate the process from  the time raw materials enter the building until the finished product reaches the end user. Supporting aspects of the operation such as maintenance, sales, and clerical must also be evaluated in the identification process. Historical data such as loss runs, injury logs, and compliance audit results should be analyzed to determine any performance trends.

Four basic strategies are used to control the risks are :

  1. Apply safeguards (avoidance)

Avoidance attempts to prevent the exploitation of the vulnerabilit. This is the preferred approach, as it seeks to avoid risk in its entirety rather than dealing with it after it has been realized Accomplished through countering threats, removing vulnerabilities in assets, limiting access to assets, and/or adding protective safeguards. Three areas of control: Policy, Training and education, Technology.

  1. Transfer the risk (transference)

Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations. If an organization does not already have quality security management and administration experience, it should hire individuals or firms that provide such expertise.

This allows the organization to transfer the risk associated with the management of these complex systems to another organization with established experience in dealing with those risks.

  1. Reduce the impact (mitigation)

Mitigation attempts to reduce the impact of exploitation through planning and preparation. Three types of plans:  disaster recovery planning (DRP), business continuity planning (BCP), incident response planning (IRP).

The most common of the mitigation procedures is the disaster recovery plan or DRP. The actions to take while the incident is in progress defined in the incident response plan or IRP. Longer term issues are handled in the business continuity plan or BCP.

  1. Inform themselves of all of the consequences and accept the risk without control or mitigation (acceptance)

Acceptance of risk is doing nothing to close a vulnerability and to accept the outcome of its exploitation. Acceptance is valid only when: determined the level of risk, assessed the probability of attack, estimated the potential damage, performed a thorough cost benefit analysis, evaluated controls using each appropriate feasibility, decided that the particular function, service, information, or asset did not justify the cost of protection. Risk appetite describes the degree to which an organization is willing to accept risk as a trade-off to the expense of applying controls.

IT Risk Management, Network Engineering

Calculate the risk in IT

Risk consists of two components, there are the probability that a negative or harmful event will occur and the cost that is the amount of loss or expense that will result from the event. On the surface the assessment of these two factors leads to a yes/no result, do I accept the risk or not? Do I keep driving in the fog or do I get off the road? In reality, the result is usually far more complex. As we saw in the previous screen, there were a multitude of options to be considered from fog lights to insurance. You could take advantage of every option available in a quest to reduce the probability of harm occurring to zero, but you will likely run up against two constraints: You can never eliminate risk completely and your resources are limited. You can pull off the road when there is fog, but now you have created the risk of being hit from behind by another car or you run the risk of being late to your appointment. You can purchase more insurance to eliminate the possibility of a monetary loss if you keep driving, but try pricing an insurance policy with no deductibles with coverage in the tens of millions of dollars. The cost of such protection is prohibitive. The reality is that you need to prioritize your risk options, in effect you need to quantify the risk as accurately as possible in order to make a reasonable choice.

The prioritization of risk is achieved through a series of questions:

  1. How important is the asset (i.e. how much does the car cost)?
  2. How vulnerable is the asset to a negative event (i.e. if I rear end the car in front of me, how well will the car survive the crash)?
  3. How likely is it that someone would try to exploit the vulnerabilities (i.e. how good are my driving skills in fog)?
  4. What controls do we have in place to protect the asset from these vulnerabilities (i.e. do I have fog lights)?
  5. If the controls do not provide sufficient protection, what additional controls can we employee to reduce the risk to an acceptable level (if I still can’t see well enough with the fog lights on, what else can I do to avoid an accident)?

Historically, information security officers, disaster recovery coordinators and others who needed to make operational risk decisions in the workplace found the answers to these types of questions by referring to prior experience and subjective reasoning. If you worked long enough in information security, you would get a good “feel” for the risks and exposures and your experience would guide your decisions. But try telling the CEO that you want funding for an expensive project that will improve controls and the justification for the request is based on your “gut feeling” and prior experience. No wonder many senior executives view information security as over blown and inscrutable. Until information security can develop tools to objectively identify and measure risk, we will have little credibility with management in explaining the risk options.

IT Risk Management, Network Engineering

Threats to information security

Information security means protecting information and information system from an authorized access, use disclosure, disruption, modification, or destruction. (through implemetation of ISMS example implementation of controls as policies and procedures. Also the CIA aspect confidentiality, integrity, and availability).

A threat is any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. Threats can be natural, human, deliberate or accidental.

Information security threats :

  • People/employees. (Human error, sabotage, tampering, vandalism, theft, etc)
  • Low awareness for information security aspects.
  • Advancing the IT infrastructure, networking, and distributive working.
  • Improvement of complexity and effectiveness of hackers and viruses.
  • Electronic mail (e-mail)
  • Nature and Accidents (earthquakes, landslides, volcanoes, fires, storms and floods, transportation accidents, hazardous materials related events, solar flares).
  • Malware threats (software designed to destroy, steal private information or spy on a computer system without the consent of the user, malicious code/programs/software, example trojan horses, viruses, spywares, spams, and etc).
  • Competitors (industrial espionage, intellectual property theft, copyright infringement, mudslinging, etc).
  • Litigants (seeking confidential data as evidence).
  • The Press (bad publicity, exposing trade secrets, exposing strategy and new products).
  • Criminals (kidnapping, bribery, extotion, fraud, physical infrastructure attacs, etc).
  • Government, terrorist, and political organization (computer warfare, cyberwarfare, wiretapping, etc).
IT Risk Management, Network Engineering

Explain IT Risk Management

IT risk management is the application of the principles of risk management to an Information Technology organization in order to manage the risks associated with the field also aims to manage the risks that come with the ownership, involvement, operation, influence, adoption and use of IT as part of a larger enterprise.

Others, IT risk management is a component of a larger enterprise risk management system. This encompasses not only the risks and negative effects of service and operations that can degrade organizational value, but it also takes the potential benefits of risky ventures into account.

IT risk management is a process done by IT managers to allow them to balance economic and operational costs related to using protective measures to achieve nominal gains in capability brought about by protecting the data and information systems that support an organization’s operations.