Security+: Risk Management Processes and Concepts


The risk management process is a way of achieving a structured approach to the management of risk in IT corporations. Consistently implemented, it allows risks to be identified, analyzed, evaluated, and managed in a uniform, efficient and focused manner. In this article, we will describe most of the risk management processes addressed in the CompTIA Security+ Certification which is a standard for recognizing competence in IT security landscape.

Understanding the Context of Risk Management

Risk assessment and a mitigation strategy is part of the process of managing risks in many organizations worldwide. This type of approach represents a critical piece of work within the security horizon, as it includes the identification and evaluation of a potential risk and its impact. The risk process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong.

Three concepts are important to consider when risk assessment is established, namely:

The external context: the environment in which the entity operates (e.g., the type of companies, such as, cultural, financial, political) and the potential impact that a risk can produce.

The internal context: includes factors within the entity that are relevant to the risk assessment such as objectives, strategy, organizational capabilities, culture, etc.

The risk management context: the goals and objectives of the risk management activity. For example, determining who is responsible for each component and what is in scope.

Risk Management Concepts

Throughout this section, some of the most well-known concepts in risk management are described. These concepts are adopted by IT companies, and by information security specialists. Figure 1 below depicts the concepts herein discussed.

Figure 1: General workflow of the risk management process.

Risk Identification

The main goal of risk identification is to recognize all the possible risks, and not to eliminate (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pedro Tavares. Read the original post at: