Basics of Risk Management
Exposure to a chance of loss or damage tends to make companies and organizations more risk averse. In the ever-changing business world, enterprise Risk Management attempts lessen the seriousness or extent of risk when possible through best practices (ITIL) and security standards (ISO 27002, ISO 27005, PCI). The management of risk is even more strongly marked with regards to finance and insurance. The state of having financial security being vulnerable or exposed leads companies to maintain programs of financial risk management (Solvency 2) and governments to issue regulatory laws (Sarbanes Oxley in the United States and Basel II in Europe) and security regulations (HIPAA, GLBA) attempting to preserve and maintain desired outcomes.
Risk Management Policy
Proven methods of Risk Management Policy used to identify risks and analyze potential impacts exist, still only a relatively small group tend to fully use these systematic ways of enterprise risk management to identify and analyze potential impact on critical activities and implement security policy best suited to protect the assets of the organization.
Security Policy
With each passing day, more information and data becomes available as investment by companies related to information systems increases. Information used to identify risks and analyze their potential impacts necessitates that information systems Security Policy becomes a more significant factor and organizations must choose security measures appropriate to the risk and circumstances involved. Interest in ITIL and Capability Maturity Models (CMM and CMMI) integration provides evidence that an awareness and knowledge of gradual improvement is developing. Information security policy and risk management related to information technology (IT) will continue to gradually integrate itself into the business processes of organizations.