Risk Management for Information Systems

The private sector should employ a program similar to the federal government’s use of the COOP system as part of its risk management plan. This system was put into place as a defensive response to 9/11 and the private sector is also vulnerable to threats of terrorism or natural disasters. The COOP system would allow the private sector to be able to prepare for and recover from these threats. Implementation of a risk management system can be a challenge for private sector companies. The company will need to determine what policies will be needed and who will put these steps into place. Bandyopadhyay, Mykytyn, & Mykytyn (1999), state that this analysis can become a risk-reducing strategy that will help the company in the long run.

An effective risk management plan should be a process where all aspects of the business are restored prior to the occurrence of restraints from a devastating event. However, a major issue to consider is that the company may never be able to completely recover. The risk management plan would waste time, effort and resources on attempting to achieve a task that is no longer possible. In order to account for this, the risk management plan should have contingencies that would allow the company to restore as much as they could but also begin considering a new strategy for the company. According to Stoneburner, Goguen, & Feringa (2002), risk assessment can be utilized to conduct a cost-benefit analysis that would provide some insight as to what the next steps for the company would be.

Conducting a security gap analysis on a regular basis is one of the key strategies in risk management practices. Barr (2013) states that conducting these analyses on a regular basis can protect the company from a threat.  “Every enterprise has gaps in its information security infrastructure, and attackers test even the most secure environments on a regular basis” Barr (2013). While conducting a gap analysis is a best practice solution for avoiding attacks it can be costly and time consuming to regularly conduct. However, monitoring the system on a regular basis can prevent attacks that can be very costly to the company. 

References

Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437-445.

Barr, J. (2013). Conducting an information security gap analysis. Faulkner Information Services, 1-11

Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist Special Publication, 800(30), 800-30.