Information security management is about viewing and managing risks in terms of the causes, effects and therefore costs of loss of security.
Identify and briefly describe the stages involved in systematic management of information systems
Stages involved in systematic management of information systems:
1. Identification of the organization‟s assets
This involves taking an inventory of all the organization‘s information security assets e.g. computers, data, personnel, programs, networks, etc
2. Determination of the risks to the assets
For each asset a list of associated risks is produced. For instance, for computers, associated risks include:
o Theft, etc
3. Estimating likelihood of occurrence of each risk
The likelihood of occurrence may be generally classified as high, low or medium.
4. Computation of expected annual losses due to occurrences of the risks.
5. Surveying applicable risk controls and their costs.
6. Selection of appropriate controls
The selection is largely determined the cost of the control. Where the cost of the control exceeds the estimated loss due to the occurrence of the risk, the control is discarded and an alternative one selected.
7. Projection of annual savings due to the controls
An estimate of the annual cost savings to an organization should be produced with the costs of the controls in mind and the levels of occurrence of the associated risks reduced.
8. Implementation of the risk controls
This should be after management has assessed and approved the selected controls and their cost savings.
9. Review of controls to determine their effectiveness in preventing the occurrence of risks.
10. Implementation of review findings.