Spread Knowledge

CS507 - Information Systems - Lecture Handout 36

User Rating:  / 0

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Risk Management

Risk Management is the process of measuring, or assessing risk and then developing strategies to manage the risk. In general, the strategies employed include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Risk management is a general concept which can encompass various aspects or issues to be catered for. For example risk management against natural disasters, financial risk management, knowledge risk management, relationship risk management. No matter what aspect of risk is being covered the general approach is quite the same. Here since we are more focused on study of information systems, we would try to relate more to the risks related to proper working of information systems.

Managing the security risks associated with reliance on information technology is a continuing challenge. Many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations and implement appropriate controls to mitigate these risks. In recent years, systems have become more susceptible to virus because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals.

Incorporating Risk management in SDLC

For each phase of SDLC, the process of risk management is no different. Rather it is iterative process which can be performed at each major phase. Every step of development has its own risks which need to be handled and addressed separately. Hence managing risk in SDLC means managing risk of each phase of life cycle.

Phases of Risk Management

Following are various phases of SDLC

  • System Characterization
  • Threat Identification
  • Vulnerability Identification
  • Control Analysis
  • Likelihood Determination
  • Impact Analysis
  • Risk Identification
  • Control Recommendation
  • Results Documentation
  • Implementation
  • Monitoring

This can also be presented as a separate diagram.

Phases of Risk Management

What is focal Point?

A corporate-level facilitator may serve as a focal point for assessments throughout the company, including those pertaining to information security because of familiarity with the tools and the reporting requirements. Each business unit in an organization may have a designated individual responsible for the business unit's risk assessment activities. The computer hardware and software company, may also create a team for the purpose of improving the overall risk assessment process and reviewing results of risk assessments in the hardware and software systems from the perspective of offering a better, reliable and risk free product.

System Characterization

In assessing risks for an IT system, the first step is to define the scope of the effort. The resources and information that constitute the system are identified. The system related information is documented which includes.

  1. Hardware
  2. Software
  3. System Interface
  4. Data & Information
  5. People (Who support and use IT)
  6. Systems Mission (Processes performed by IT system)

Additional information that may help in characterizing the system are:

  1. Functional requirements of IT system
  2. Users of system (technical support and application users)
  3. System Security Policy
  4. System Security Architecture

As an output to this phase we would get:

  1. System Boundary
  2. System function
  3. System and Data criticality – System’s value to the organization
  4. System and data sensitivity – Level of protection required to maintain system, data integrity, confidentiality and availability.

Following methods can be used to gather information on the IT system within its operational boundary.

  1. Filling up Questionnaire
  2. On-site interviews
  3. Document Review
  4. Use of automated scanning tools

Steps in threat identification

Following steps are followed in this phase

  1. Threat source identification – sources vary from being human to natural threats
  2. Motivation and threat actions – Reasons why someone should instigate a threat and what actions he can take in such instigation are discovered.



Information is used as an input to determine and identify what kind of threats the system is exposed to history of system attack, data from intelligence agencies. The out put of this phase is a threat statement identifying and defining threats.

Vulnerability Assessment

Vulnerability is a weakness that can be accidentally triggered or intentionally exploited. This phase helps in building up a list of weaknesses and flaws that could be exploited by the potential threat sources.


Vulnerability Assessment

Following information is used as an input

  1. Reports of prior risk assessments
  2. Any audit comments
  3. Security requirements
  4. Security test results

The out put of this phase is a list of potential vulnerabilities.