ISSC331_Week7_discussion

.docx

School

American Military University *

*We aren’t endorsed by this school

Course

331

Subject

Information Systems

Date

Jan 9, 2024

Type

docx

Pages

1

Uploaded by fighters18jfighters18j

Report
Hello Class, This week we are discussing the use of risk analysis and how it facilitates the development and implementation of an information security policy together with its accompanying standards, guidelines, and procedures. To begin risk analysis is the process of analyzing, reviewing, and assessing known vulnerabilities and threats (Baskerville, et all, 2022). When applying risk analysis to information security and policies, it is important to perform risk assessments. While identifying threats and vulnerabilities is a part of the overall risk assessment, included should also be the review of compliance with information security laws such as HIPAA and the US Sarbanes-Oxley Act. From the IT perspective, the risk analysis is viewed from the outside looking in to identify what could be missing. When dealing with risks, there are four common responses from organizations which include risk avoidance, risk mitigation, risk transfer, and risk acceptance (Rios Insua, et all, 2021). Each of these risks can be easily described by their name. Risk avoidance seeks to completely avoid risk by emplacing preventative measures to eliminate it. Risk mitigation is similar, but merely tries to emplace preventative measures with a certain amount of accepted risk. Risk transfer deals with passing off the risk to a third-party to handle such as an insurance company. Lastly, there is risk acceptance which is aimed at accepting the risk without implementing any of the other risk strategies mentioned above. In a nutshell, risk analysis drives the development and implementation of policies because it identifies what needs to be included in those policies. Risk analysis reveals what is missing from an organization and can be crucial for the future development and implementation of policies. There is a need to ensure the timeliness of the security policies because it could mean the difference between complying with the law and breaking it. Additionally, there is a need to periodically review and update it because laws change all the time as well as the different kinds of vulnerabilities and holes within the organization that need to be filled. John References: Baskerville, R. L., Kim, J., & Stucke, C. (2022). The cybersecurity risk estimation engine: A tool for possibility based risk analysis. Computers & Security, 120, 102752. Rios Insua, D., Couce Vieira, A., Rubio, J. A., Pieters, W., Labunets, K., & G. Rasines, D. (2021). An adversarial risk analysis framework for cybersecurity. Risk Analysis, 41(1), 16-36.
Discover more documents: Sign up today!
Unlock a world of knowledge! Explore tailored content for a richer learning experience. Here's what you'll get:
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help