This guide describes the risk management methodology, how it fits into each phase of the SDLC,
and how the risk management process is tied to the process of system authorization (or
accreditation).
and how the risk management process is tied to the process of system authorization (or
accreditation).
IMPORTANCE OF RISK MANAGEMENT
Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment. Section 3 of this guide describes the risk assessment process, which includes identification and evaluation of risks and risk impacts, and recommendation of risk-reducing measures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, and maintaining the appropriate risk-reducing measures recommended from the risk assessment process. Section 5 discusses the continual evaluation process and keys for implementing a successful risk management program. The DAA or system authorizing official is responsible for determining whether the remaining risk is at an acceptable level or whether additional security controls should be implemented to further reduce or eliminate the residual risk before authorizing (or accrediting) the IT system for operation.
Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case of home security, for example. Many people decide to have home security systems installed and pay a monthly fee to a service provider to have these systems monitored for the better protection of their property. Presumably, the homeowners have weighed the cost of system installation and monitoring against the value of their household goods and their family’s safety, a fundamental “mission” need.
Download:
0 komentar:
Posting Komentar