View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Research Papers in Economics 228 Informatica Economică vol. 15, no. 1/2011 Security Risk Management - Approaches and Methodology Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania [email protected], [email protected] In today’s economic context, organizations are looking for ways to improve their business, to keep head of the competition and grow revenue. To stay competitive and consolidate their position on the market, the companies must use all the information they have and process their information for better support of their missions. For this reason managers have to take into consideration risks that can affect the organization and they have to minimize their impact on the organization. Risk management helps managers to better control the business practices and improve the business process. Keywords: Risk Management, Security, Methodology Introduction 2 Risk management: definition and 1 Today’s economic context is objectives characterized by a competitive environment The concept of the risk management is which is permanently changing. To face this applied in all aspects of business, including fierce competition, managers must take the planning and project risk management, health correct strategic decisions based on real and safety, and finance. It is also a very information. In order to maintain the common term amongst those concerned with authenticity and the accuracy of the IT security. A generic definition of risk information used in the decision process, any management is the assessment and mitigation organization must use informatics systems to of potential issues that are a threat to a process their information and for a better business, whatever their source or origin. [2] support of their missions. For this reason, The concept of risk management is now the management risk of the security fairly universally understood, having been in information plays a very important role in the widespread use for a number of years. It is organizational risk management, because it applied in all aspects of business. assure the protection of the organization from To discuss the definition of the risk the threatening information attacks, that management is necessary to explain in could affect the business activity and advance the meaning of the three main therefore its mission. concepts: An effective risk management process is Risk is the potential that a chosen action or based on a successful IT security program. activity (including the choice of inaction) This doesn’t mean that the main goal of an will lead to a loss (an undesirable outcome). organization’s risk management process is to Threat is the potential cause of an unwanted protect its IT assets, but to protect the impact on a system or organization (ISO organization and its ability to perform their 13335-1). Threat can also be defined as an missions. Therefore, the risk management undesired event (intentional or unintentional) process should not be treated primarily as a that may cause damage to the goods of the technical function carried out by the IT organization. experts, who operate and manage the IT Vulnerability is a weakness in system system, but as an essential management procedures, architectural system, its function of the organization and its leaders. implementation, internal control and other [1] causes that can be exploited to bypass security systems and unauthorized access to information. Vulnerability represents any weakness, administrative process, act or Informatica Economică vol. 15, no. 1/2011 229 statement that makes information about an approach may be an effective response to the asset to be capable of being exploited by a security risks that have already occurred threat. through creating security incidents. The Risk management is a process consisting on: analysis of the causes of producing security - identifying vulnerabilities and threats to the incidents could help the organization to information resources used by an prevent their repetition and be prepared for organization in achieving business any possible problems. Companies that objectives; respond to security incidents in a calm and -risk assessment by setting the probability rational way, meanwhile they determine the and impact of its production, following causes that have allowed the incidents to threats by exploiting vulnerabilities; occur, will be able to respond in a shorter - identify possible countermeasures and time to similar problems arising. deciding which one could be applied, in There are six steps that an organization order to reduce the risk to an acceptable should take into consideration when the level, based on the value of information reactive approach is applied: resource to the organization. [3] 1. Protecting human life and safety The goal of performing risk management is It's the most important and most active of to enable the organization to maintain at the the six. Organizations have to respect laws highest values the activity results. This that protect the employers and that require process should combine as efficient as protection measures to prevent work possible, all factors which can increase the accidents. Development of computerization probability of success and decrease of the production process has led many of its the uncertainty of achieving objectives. Risk activities in an organization so they often can management should be an evolving process. arise where production risks and security of Particular attention should be given to the their information systems is likely to implementation of the strategies for endanger human life and health. eliminating or reduce the risk and their 2. Controlling damage appliance, to the analysis of the past It is an activity that consists on stopping or evolution of risks and to the controlling the spread of the damage present and future prediction of the produced through the risks fulfilled. In case events. Management process should of a cyber-attack, organizations should take be implemented at the highest management actions to protect information, important level. application and the hardware components, as In IT&C, one of the most important goal of soon as possible, and minimize the time risk management is to accomplish by better when the system is not working properly. securing the informatics systems that store, Sometimes maintaining the system available, process, or transmit organizational during such an attack, may increase the information; by enabling management to damages. make well-informed risk management 3. Damage assessment decisions to justify the expenditures that are Damage assessment will be done by restoring part of an IT budget and by assisting activity and after reinstatement of all systems management in authorizing (or accrediting) affected by risk. If cyber damage assessment the IT systems, on the basis of the supporting involves conducting detailed investigations documentation resulting from the on the incident, immediately proceeded to performance of risk management. [1] restore or replace hardware, reinstall the software used and recovery affected data . 3 Risk Management approaches: If the damage assessment takes too long, Proactive and reactive approach contingency plans should be considered so Risk management can be approached in two that the organization resumes normal activity ways: reactive and proactive. The reactive without bigger damage. 230 Informatica Economică vol. 15, no. 1/2011 4. Determine the damage cause Therefore organizations have to develop in During this activity, to discover the starting parallel the incident response method and point of an attack, it is necessary to proactive approach to security policies. understand what resources have been Proactive approach consists in several main targeted by attacks and which vulnerabilities categories of activities: were exploited to gain access or to - Making special training activities for staff discontinue the services. It should be whose work is or risk; investigated the system configuration, and - Develop and implement a formalized also the patch level, system logs, audit logs work procedures to meet safety and audit trails. These operations help to requirements and quality standards for discover the place where the attack started each of its activities; and what resources were affected. - Establish an internal control system on 5. Repairing the damage compliance the work procedures This activity is very important because the developed and on specific legislation in damage must be repaired in the shortest time force (of personnel carrying out inspection in order to restore the information system, to activities, establish procedures for the resume organization’s activity and to recover conduct of control, the establishment of the data affected by the attack. That is why measures for eliminating the possibility of every business action plan should include a application dysfunction found in the strategy data recovery. After the damage has inspection, etc.) been repaired the elimination or the reduction - Periodic evaluation for the viability of of the vulnerabilities that were exploited proactive measures is applied in order to during the incident should be considered. reduce or eliminate risks. 6. Review responses and updating policies Another activity related to the reactive 4 Risk management process approach, refers to the process of evaluating Risk management is a permanent cycle the way in which