|
Читайте также: |
A comprehensive treatment of the topic of risk management is beyond the scope of this article. However, a useful definition of risk management will be provided as well as some basic terminology and a commonly used process for risk management.
The CISA Review Manual 2006 provides the following definition of risk management: “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what counter-measures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”
There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing interactive process. It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasure (computer)s (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected.
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man-made or act of nature) that has the potential to cause harm.
The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis.
Vocabulary
authenticity – подлинность
genuine – настоящий, подлинный
validate – удостовериться
party – сторона
involve – вовлекать
claim – заявлять, выдавать
imply – подразумевать
intention – намерение
fulfill – выполнять
obligation – обязательство
deny – отрицать
signature – подпись
establish – устанавливать
risk management – управление риском
comprehensive – всесторонний
treatment – рассмотрение, толкование
beyond – вне
scope – сфера, область
definition – определение
commonly – обычно
Review – обзор, периодический журнал
manual – руководство
identification – идентификация
vulnerability – слабое место
threat – угроза
achieve – достигать
objective – цель
countermeasure – контрмера
if any – если таковые имеются
acceptable – приемлемый, допустимый
value – ценность, оценка
clarification – прояснение, разъяснение
ongoing – непрерывно продолжающийся
indefinitely – неопределённо
environment – окружение, среда
constantly – постоянно
emerge – возникать
choice – выбор
strike – 1.нарушать, ударять, 2.выравнивать
asset – актив
likelihood – вероятность
cause – вызывать
harm – вред
weakness – слабость
endanger – подвергать опасности
inflict – причинить
impact – влияние
income – доход
identify – определять
eliminate – устранять
residual – остаточный
assessment – оценка
carry out – осуществлять
team – команда
membership – членство
vary – различаться
qualitative – качественный
opinion – мнение
reliable – надёжный
quantitative – количественный
CISA – certified information systems auditor
Exercises
Дата добавления: 2015-11-14; просмотров: 42 | Нарушение авторских прав
| <== предыдущая страница | | | следующая страница ==> |
| Confidentiality | | | VIII. Insert prepositions |