What is Information Risk Management?

Michelle Yasuwito

2101701235

Sumber Gambar : http://themocracy.com/an-introduction-to-risk-management-information-systems/

If you search the term information risk management (IRM) on Google, you’ll likely come up with many lengthy explanations and definitions. And while you can learn more about IRM by searching the terms “NIST” and “800-53,” many of the definitions you’ll come across are either too vague, or they focus entirely on theory instead of practice. In response, we’ve taken a crack at a simple, yet sufficient working definition: Information risk management (IRM): The policies, procedures, and technology one adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.

When the average person thinks about a threat, they tend to envision hackers and those with malicious intent from outside an organization attempting to steal data or valuable information through physical or cyber means. This is considered an intentional threat. But it’s important to understand that threats to an organization’s information can be both intentional and unintentional. An unintentional threat might be an employee who doesn’t handle data properly or an IT manager that is careless with an organization’s IT infrastructure. It could also be a security flaw that allows a break-in to take place.

Information risk management examines this classic equation for risk:

Threat  x  Vulnerability  x  Consequence

Threat is inherent in information risk management, and most organizations assume that their vendors offer at least some level of threat.

Vulnerability comprises the gaps in a protection program. Let’s say you have a really sensitive document and you put it in a safe, in a locked building, protected by guards. You likely feel confident that the document isn’t vulnerable to many threats. Now, if that same document was online in an open network where your organization stores all of its data, it’s easy to understand how this compromises the safety of the document. The moral of this story is to understand not only what the vulnerabilities are in your protection program, but also how the vulnerabilities can be exploited. Once you parse through this information, you’ll gain a clearer idea of how to address your overall risk.

Another really important element in IRM is understanding the value of the information you’re trying to protect, because consequence depends largely on this. But, as you know, the value of your information varies tremendously. Some information holds value because your organization considers it to be of great value. This may include very sensitive designs, blueprints, or pricing. But sometimes information has value because there are legal requirements for protecting that data. Even if you don’t consider personally identifiable information (PII) to be high priority, your customer (and the law) would most likely disagree with you. So in determining the consequence side of risk, your organization needs to ask what might happen if a particular piece of data is compromised.

Sumber Penulisan/Daftar Pustaka : https://www.bitsight.com/blog/what-is-information-risk-management