Gao risk security
Páginas: 60 (14781 palabras)
Publicado: 27 de abril de 2011
United States General Accounting Office
GAO
November 1999
Accounting and Information Management Division
Information Security Risk Assessment Practices of Leading Organizations
A Supplement to GAO’s May 1998 Executive Guide on Information Security Management
GAO/AIMD-00-33
Preface
Managing the security risks associated with our government’s growing reliance on informationtechnology is a continuing challenge. In particular, federal agencies, like many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations and implement appropriate controls to mitigate these risks. This guide is intended to help federal managers implement an ongoing information security riskassessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. More importantly, it identifies, based on the case studies, factors that are important to the success of any risk assessment program, regardless of the specific methodologyemployed. The information provided in this document supplements guidance provided in our May 1998 executive guide Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68). In that guide, we outlined five major elements of risk management and 16 related information security management practices that GAO identified during a study of organizations with superiorinformation security programs. One of the five elements identified encompasses assessing risk and determining riskreduction needs. This guide is one of a series of GAO publications, listed in appendix I, that are intended to define actions federal officials can take to better manage their information resources. Contributors to this supplementary guide include Jean Boltz, Ernest Döring, and MichaelGilmore. If you have any questions about this guide, please contact me at (202) 512-6240 or by e-mail at brockj.aimd@gao.gov. [signed] Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems
GAO/AIMD-00-33 Information Security Risk Assessment
1
Contents
____________________________________________________________
_ 1 Preface____________________________________________________________
_ 4 Introduction
Federal Guidance Risk Assessment Is an Essential Element of Risk Management Basic Elements of the Risk Assessment Process Challenges Associated With Assessing Information Security Risks 4 5 6 7 9 11 15 16 17 17 19 19 23 24 24 26 26 32 32 34 34 38
____________________________________________________________
____________
Overview of CaseStudy Findings
Critical Success Factors Tools Benefits
____________________________________________________________
___________
Case Study 1: Multinational Oil Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
Case Study 2: Financial Services Company
DistinguishingCharacteristics Initiating a Risk Assessment Conducting and Documenting the Assessment
Case Study 3: Regulatory Organization
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
2
GAO/AIMD-00-33 Information Security Risk Assessment
Case Study 4: Computer Hardware andSoftware Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
39
39 41 41 46
____________________________________________________________
___________
Appendixes
Appendix I: GAO Guides on Information Technology Management Appendix II: Objectives and Methodology 47 48...
GAO
November 1999
Accounting and Information Management Division
Information Security Risk Assessment Practices of Leading Organizations
A Supplement to GAO’s May 1998 Executive Guide on Information Security Management
GAO/AIMD-00-33
Preface
Managing the security risks associated with our government’s growing reliance on informationtechnology is a continuing challenge. In particular, federal agencies, like many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations and implement appropriate controls to mitigate these risks. This guide is intended to help federal managers implement an ongoing information security riskassessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. More importantly, it identifies, based on the case studies, factors that are important to the success of any risk assessment program, regardless of the specific methodologyemployed. The information provided in this document supplements guidance provided in our May 1998 executive guide Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68). In that guide, we outlined five major elements of risk management and 16 related information security management practices that GAO identified during a study of organizations with superiorinformation security programs. One of the five elements identified encompasses assessing risk and determining riskreduction needs. This guide is one of a series of GAO publications, listed in appendix I, that are intended to define actions federal officials can take to better manage their information resources. Contributors to this supplementary guide include Jean Boltz, Ernest Döring, and MichaelGilmore. If you have any questions about this guide, please contact me at (202) 512-6240 or by e-mail at brockj.aimd@gao.gov. [signed] Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems
GAO/AIMD-00-33 Information Security Risk Assessment
1
Contents
____________________________________________________________
_ 1 Preface____________________________________________________________
_ 4 Introduction
Federal Guidance Risk Assessment Is an Essential Element of Risk Management Basic Elements of the Risk Assessment Process Challenges Associated With Assessing Information Security Risks 4 5 6 7 9 11 15 16 17 17 19 19 23 24 24 26 26 32 32 34 34 38
____________________________________________________________
____________
Overview of CaseStudy Findings
Critical Success Factors Tools Benefits
____________________________________________________________
___________
Case Study 1: Multinational Oil Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
Case Study 2: Financial Services Company
DistinguishingCharacteristics Initiating a Risk Assessment Conducting and Documenting the Assessment
Case Study 3: Regulatory Organization
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
2
GAO/AIMD-00-33 Information Security Risk Assessment
Case Study 4: Computer Hardware andSoftware Company
Distinguishing Characteristics Initiating a Risk Assessment Conducting and Documenting the Assessment Reporting and Ensuring That Agreed Upon Actions Are Taken
39
39 41 41 46
____________________________________________________________
___________
Appendixes
Appendix I: GAO Guides on Information Technology Management Appendix II: Objectives and Methodology 47 48...
Leer documento completo
Regístrate para leer el documento completo.