Q

What's it all about?

Isn't it really all about accounting for your assets, placing a value on each, (assessing the impact to your business if a breach occurs), calculating the risk, (threats, vulnerabilities and likelihood of occurrence), and then implementing security controls to minimize the risks starting with the highest? And to keep doing this as long as your security budget lasts. Oh and then starting over again. ISO 27001:2005 outlines this very approach.

Isn't it really all about accounting for your assets, placing a value on each, (assessing the impact to your business if a breach occurs), calculating the risk, (threats, vulnerabilities and likelihood of occurrence), and then implementing security controls to minimize the risks starting with the highest? And to keep doing this as long as your security budget lasts. Oh and then starting over again. ISO 27001:2005 outlines this very approach.
How can I argue with somebody who quotes chapter and verse from one of the primary sources of guidance for compliance activity? But, as they say, "the devil is in the details" and indeed I see plenty of infernal influence every time I dig into same.
This was first published in October 2006

Dig deeper on Risk assessment and management in financial institutions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

This Content Component encountered an error
Close