the fourth article of ETCO India ArticleBase.com connection with the reference on the subject memory and dissertation research in the areas of IT security, IT systems and communications.

Information assets are critical to the success of modern computing enables enterprises. In the modern world, information resources are exposed to threats emerging almost daily. Threats to information assets due to “risk” with a potential impact on business. Damage potential impact against a class of “criticality” risk. The key to security of information a company has assets, know, know the risks to the assets, evaluate the likelihood and impact for companies to accurately measure the risks and reduce finally appropriate defensive strategies to avoid or transfer risk . I recommend that the information risk management should be part of the corporate governance of the organization, as did the proper attention may be invited to risk management and mitigation strategies can be formulated. In many countries there is a legal requirement if the organization of the management of critical systems or data to the public.
To manage the risks of information, it is imperative to know all the information critical to the organization. Any system that creates, transfers or stores information is information – such as files / folders, databases, hardcopy storage areas, desktops, laptops, network resources shared is “drawer boxes or employees of its own memory (implicit knowledge), the primary requirement of risk management. it, an “Information Asset Register”, the secure database is regularly updated when new equipment is added, changed or deleted.
Each organization may have its own definition of “confidentiality”, “integrity” and “availability” parameters in connection with an asset-types of information. These parameters should be parameters to be assigned to each piece of critical information in the register of information assets identified to be translated. The result is called “NAV” disadvantages of all assets in the Land Register lists known.
The next important step is to assess the “threat value” in a detailed analysis of the possible causes, the impact value (based on multiple impacts, such as financial impact or reputation), and the probability of impact. Each organization may have its own parameters for the calculation of the value of threats, because they strongly depend on the exposure factors (such as law, competition, environment, etc.), organization knows or possibly in the future.
The next step is the “loss of value of the course” is a function of possible events is compromization capacity to assess that the organization can face. Again, all organizations can have their own descriptions of event and the evaluation methodology, which are usually classified as a known vulnerabilities in the organization .
The final step is to get the “risk factors”, which is a function of asset value, the value of the threat and the loss of the value of the event. The risk calculation value can be different for different organizations, depending how many levels of rock climbing is possible in the organization. Information on real estate values have a large high-risk “vulnerabilities” and that appropriate controls must be implemented urgently.
Business Impact Analysis is the next step after the completion of the risk assessment. The risk assessment process ensures that all information identified assets of the organization and the “risk values” is being evaluated.
The extent of the risk values by the number of possible escalations are defined within an organization. A large organization may lead to a larger scale of risk values to lower levels of escalation, so that the small risks to a not necessarily non-degenerate at higher levels. But as a small organization can be on a smaller scale of risk values such as transparency of risk management / top implement is preferable.
At all levels of risk reduction strategy is required. mitigation strategy can be based additional investment or additional provisions on the potential impact of business risk. Some organizations may accept such risks to a certain level, because the cost to reduce the risk is higher than the impact on businesses. For example, take over the organization, since they may cause a financial impact of up to 0000, since the cost may be greater than this value for the mitigation of risks. These decisions after a thorough “business Impact Analysis “in various committees of management / board possible. Please note that business impacts are different than the impact of assets that will be analyzed during the risk assessment. business impact analysis applied to all activities, not only for the asset should provide information. These decisions are essential to ensure that the specific investment plan can be approved as the organization does not invest too much in areas with low or critical to under-invest in critical areas.
The business impact analysis, a .. list of mitigation measures to be taken out each time an action is completed, the risk value can be “normalized” to a lower value than the impact of limited examples of mitigation measures are: more surveillance, better control of visitors, visitors can Visitors, if the rooms are installed CCTV cameras and microphones, a thorough analysis of surveillance data from experts secure offsite data storage, the transition from backup tapes has secured doses from Bonded Couriers, encrypted backup system data before writing to the tapes, more clustering, failover, single-server installations, etc., and so on.
Although mitigation measures can be done to reduce the risk values, a healthy approach to maintaining the values of the control risk is on sound information Security Management System (ISMS) within organization supported by the strategy of Disaster Recovery, Business Continuity, services and process services.
Although a number of academic research has been conducted in these areas, they are largely inadequate because these areas have developed and grown much faster than the pace of research by scholars and students. I suggest that students should take to new issues dissertations and theses in these areas because many have not by the academic community in the areas of Information Security Risk Management and Business Impact Analysis dissolved and management.


Management of investment risks