Asset management deals with the protection of valuable assets to the organization as those assets progress through their lifecycle. Therefore, we need to address the security of assets all through the stages of their lifecycle including creation/collection, identification and classification, protection, storage, usage, maintenance, disposal, retention/archiving and defensible destruction of assets. To properly protect valuable assets, such as information, an organization requires the careful and proper implementation of ownership and classification processes, which can ensure that assets receive the level of protection based on their value to the organization.  The enormous increase in the collection of personal information by organizations has resulted in a corresponding increase in the importance of privacy considerations. As a result, privacy protection constitutes an important part of asset security.  Appropriate security controls must be chosen to protect the asset as it progresses through its lifecycle, bearing in mind the requirements of each phase and the handling requirements throughout. 

In this module we begin to look at the risk management process. Risk management is a critical component of an information security program since it drives the selection of controls used to mitigate business and IT risk. The risk management program manages risk, but it does not eliminate it. All activities have an element of risk associated with them (even doing nothing is risky business), so risk management must be an essential part of every organization’s management and operational plans.  In the IT department, we tend to see risk from a negative viewpoint; it represents the problems and inconvenience associated with IT systems failure. We see risk as what happens when something goes wrong, and we are under pressure to fix the problem as quickly as possible. However, in the rest of the business, risk is seen as opportunity — the chance to take a risk and make a return on investment — and the larger the risk, the greater the possible reward (or loss).  First, a definition of risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of (1) the adverse impacts that would arise if the circumstance or event occurs, and (2) the likelihood of occurrence.   Note that information system-related security risks are those risks that arise from the loss or compromise of any of the information security attributes (CIANA+PS) required of information or information systems. It reflects the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.  We see from this definition (which is, first of all, IT based) that risk is associated with threats, impact, and likelihood. But this definition also states that IT risk is a subset of business risk and must be measured by the impact of the risk event on organizational operations, assets, and other third parties. 

The next step after gaining an understanding of the context for the risk management effort (through the Risk Frame process) is to perform the risk assessment. Risk assessment is the process of identifying risk and then evaluating and prioritizing risk based on the level of importance (severity) of the risk. The final deliverable from the risk assessment process is to communicate risk to management often through a Risk Assessment Report (RAR) and by updating the risk register.

Chapter 1 has shown us how information security exists to support the organization in achieving its goals and priorities by protecting its vital information assets. In doing so, the information security team starts with some very fundamental ideas about information security and applies these to understand the potential risks to those assets. We’ve looked at the most important attributes or characteristics of information security, which the mnemonic CIANA+PS represents: confidentiality, integrity, availability, non-repudiation, authenticity, privacy, and safety. These are the touchstones, the criteria, by which we as information security specialists must measure our successes and our failures.  Managing information risk is a primary part of the information security job. Chapter 1 has begun the process of showing us how to manage these risks, within the framework and context of how the organization manages its information assets. Subsequent chapters and their activities will continue to examine these ideas and concepts.  Last, but certainly not least, chapter 1 reminds us that we are members of the professional cadre of information security specialists. Businesses and governments, as well as individuals and organizations, must be able to trust that their day-to-day activities are using reliable, trustworthy information as their fuel. The ethical duties of due care and due diligence, which we examined in this chapter, provide each of us with the guideposts needed as we put our skills and knowledge to work.  In chapter 2, we examine the actions needed to develop a security culture within the organization. We will delve into using policies to enforce security requirements and how we can safeguard our information systems and ensure their use only by authorized users.