We aim to reduce the risk level of all information and information processing assets to an acceptable level, such that critical business is not affected. At all times there should remain a “Risk Level” for any given asset that is below an “Acceptable Risk Level” as set by the management. “Acceptable Risk is the risk level that the management is prepared to accept as business risk”.

Risk Assessment in our organization

Step 1: Identification of assets
Step 2: Valuation of assets
Step 3: Identification of threat and vulnerability pairs
Step 4: Business Impact Rating
Step 5: Assessment of threat and vulnerability pairs and its likelihood of occurrence
Step 6: Determination of risk

Risk Management

Risk Management is the process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, risk mitigation and overall security review. Following activities with respect to safeguards are part of the overall Risk Management exercise:

1. Security evaluation of safeguards
2. Selection of safeguards
3. Cost benefit analysis
4. Implementation and testing

Risk management is used to continuously assess what can go wrong in projects (i.e., what the risks are), determine which of these risks are most important, and implement strategies to deal with these risks.