Infosec rants. Your 'Daily Source' for Infosec Tips and Tricks (tm). Warning: Bad humour and unintended puns may follow.

Monday, October 06, 2008

Risk Management

Security comes at a price. A very steep price, that most businesses are reluctant to pay. I mean 'isn't it enough that we keep our information in a firewalled DMZ, physically located in an alarmed, hermetically sealed, climate controlled room, protected by biometricly equipped entry/exit points with twenty four hour guards, eight foot fences... Killer Poodles?

The answer, in case you are wondering, is no. Unfortunately the premium on Killer Poodles that can sniff network traffic as well as bite intruders is way too high. so other methods to be employed. One, poodleless way to reduce the cost of Security is through Risk Management. Wow, that is freaky, I swear I just heard the Internet yawn. No really, Risk Management is the answer! In fact it is the only answer. 'Information Security' = 'Risk Management'. You heard it here first folks.

Here is an official definintion:

Risk management is the identification, measurement, control and minimization of loss associated with uncertain events or risks. It includes the overall security reviews, risk analysis, evaluation and selection of safeguards, cost/benefit analysis, management decisions, safeguard implementation and effectiveness reviews.
- Hansche, S;Berti, J;Hare, C. Official (ISC)2 Guide to the CISSP Exam. New York: Auerbach Publications;2004.

Over my next few bleurghs or what simple folk refer to as a 'blog entry', I will talk about the Risk Analysis part of 'Information Security Management'. For now, go read a book.

If you enjoyed this post Bookmark it at

Socialise This