RISK MANAGEMENT

Risk Management involving Security Breaches

Risk Management involving Security Breaches

Introduction

A general term that encompasses all aspects of the measures taken to safeguard computer systems and the data they contain from losses attributable to any kind of attack, whether initiated by people or natural elements. A given system's security boils down to a calculated assessment of the risks entailed by losses, the costs imposed by security measures, and the likelihood that the system will be subjected to attack. A secure computer system, therefore, is a dependable system that offers its users a desirable level of performance and protection against loss while, at the same time, raises the costs, difficulty, and risks of attack to a level that discourages all or nearly all intrusions.

A system's security is dependent on five fundamental measures: authentication (users cannot access the system without proving their identity), access control (users are assigned varying levels of access permissions and cannot access those resources that are denied to them); confidentiality (data is protected from unauthorized disclosure); availability (the system is protected from attacks intended to make the system unavailable for its intended use); integrity (data and software are protected from unauthorized modification); non-repudiation (users who initiate messages or transactions cannot deny that they did so); and privacy (users retain control over the use and dissemination of personal or other confidential information they supply to the system).

NIST Security Breach Procedures

How NIST handles security breaches

Currently, information risk management is one of the most topical and rapidly developing areas of strategic and operational management in the field of information security. The main task of NIST is to identify and evaluate the most relevant information for the business risks of the company, as well as the adequacy of risk controls used to increase the effectiveness and efficiency of economic activities of the company. Therefore, NIST refers to the term "information risk management" as a systematic process of identifying, controlling and reducing risks at companies. However, NIST handles risk management in accordance with certain limitations of the legislation law, and its own corporate security policies. NIST believes that good risk management allows optimum performance and cost risk controls and protection of information adequate to the current aims and objectives of the company's business (Tipton, 2011).

There is a widespread dependence of successful companies to use organizational measures and technical means to monitor and reduce risk. For effective information, risk management has developed special techniques such as the techniques used by NIST and a few other companies. In line with these techniques, the management of information risks for any company involves the following. First, it involves defining the goals and objectives to protect information assets. Second, an effective system for assessing and managing information risk. Third, it involves a set of detailed calculations, which are not only qualitative, but also quantitative estimates of risk, and adequate stated business objectives. Fourth, it incorporates the use of special tools for assessment and risk management (Mitchell, 2009). NIST handles the security breaches by the following methods (Hubbard, 2009):

Authentication: this ...