Chapter 7
Information Technology
Risk Management
Nick Vellani
In this chapter...
Why Information Technology Security Is Important
Information Technology Risk Management
Asset Identification
Information Technology Risk Assessment
Information Technology System Characterization
Threat Assessment
Vulnerability Assessment
Control Evaluation
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
Risk Mitigation: Options and Strategies
Control Implementation Methodology
Control Categories
Cost-Benefit Analysis
Residual Risk
Evaluation and Refinement
Why Information Technology Security Is Important
to Traditional Security Decision Makers
Most security decision makers have heard the term convergence but are con-
fused about its meaning and application. Convergence is defined as the process
of two entities coming together to a common point. For the purposes of risk
management, convergence is defined as the process of traditional risk man-
133
Get Strategic Security Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
