Gao risk security

Solo disponible en BuenasTareas
  • Páginas : 60 (14781 palabras )
  • Descarga(s) : 0
  • Publicado : 27 de abril de 2011
Leer documento completo
Vista previa del texto
United States General Accounting Office

GAO
November 1999

Accounting and Information Management Division

Information Security Risk Assessment Practices of Leading Organizations
A Supplement to GAO’s May 1998 Executive Guide on Information Security Management

GAO/AIMD-00-33

Preface

Managing the security risks associated with our government’s growing reliance on informationtechnology is a continuing challenge. In particular, federal agencies, like many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations and implement appropriate controls to mitigate these risks. This guide is intended to help federal managers implement an ongoing information security riskassessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. More importantly, it identifies, based on the case studies, factors that are important to the success of any risk assessment program, regardless of the specific methodologyemployed. The information provided in this document supplements guidance provided in our May 1998 executive guide Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68). In that guide, we outlined five major elements of risk management and 16 related information security management practices that GAO identified during a study of organizations with superiorinformation security programs. One of the five elements identified encompasses assessing risk and determining riskreduction needs. This guide is one of a series of GAO publications, listed in appendix I, that are intended to define actions federal officials can take to better manage their information resources. Contributors to this supplementary guide include Jean Boltz, Ernest Döring, and MichaelGilmore. If you have any questions about this guide, please contact me at (202) 512-6240 or by e-mail at brockj.aimd@gao.gov. [signed] Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems

GAO/AIMD-00-33 Information Security Risk Assessment

1

Contents
____________________________________________________________

_ 1 Preface____________________________________________________________

_ 4 Introduction
Federal Guidance Risk Assessment Is an Essential Element of Risk Management Basic Elements of the Risk Assessment Process Challenges Associated With Assessing Information Security Risks 4 5 6 7 9 11 15 16 17 17 19 19 23 24 24 26 26 32 32 34 34 38

____________________________________________________________

____________

Overview of CaseStudy Findings
Critical Success Factors Tools Benefits

____________________________________________________________

___________

Case Study 1: Multinational Oil Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken

Case Study 2: Financial Services Company
DistinguishingCharacteristics Initiating a Risk Assessment Conducting and Documenting the Assessment

Case Study 3: Regulatory Organization
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken

2

GAO/AIMD-00-33 Information Security Risk Assessment

Case Study 4: Computer Hardware andSoftware Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken

39

39 41 41 46

____________________________________________________________

___________

Appendixes
Appendix I: GAO Guides on Information Technology Management Appendix II: Objectives and Methodology 47 48...
tracking img