Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organizations use risk assessment, the first step in the risk management methodology, to determine the extent of the potential threat, vulnerabilities, and the risk associated with an information technology (IT) system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process, the second step of risk management, which involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems throughout their system development life cycle (SDLC). The ultimate goal is to help organizations to better manage IT-related mission risks.Organizations may choose to expand or abbreviate the comprehensive processes and steps suggested in this guide and tailor them to their site environment in managing IT-related mission risks. In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.The third step in the process is continual evaluation and assessment. In most organizations, IT systems will continually be expanded and updated, their components changed, and their software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new risks will surface and risks previously mitigated may again become a concern. Thus, the risk management process is ongoing and evolving.
[1]
Marianne Swanson,et al.
Guide for Developing Security Plans for Information Technology Systems
,
1998
.
[2]
Marianne Swanson,et al.
SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems
,
1996
.
[3]
Marianne Swanson,et al.
Security Self-Assessment Guide for Information Technology Systems
,
2001
.
[4]
J.Timothy Sprehe,et al.
OMB Circular No. A-130, the management of federal information resources: Its origins and impact
,
1987
.
[5]
Dennis Gilbert,et al.
Sample Statement of Work for Federal Computer Security Services: For use In-House or Contracting Out
,
1991
.