MIS211 Lecture Notes - Lecture 3: Information Security, Risk, Risk Assessment

Information security methodology: to develop and maintain effective information security at managerial and technical levels, information security managers require a set f structured steps. Such steps are organised as an information security methodology. Information security methodologies may use information security models and techniques. Information security models can model elements of information security (e. g. threats lecture 2) Information security techniques can also be useful to develop important elements of information security (e. g. risk analysis techniques provide risk estimates) 1st generation methodologies: 1st generation information security methodologies use checklists of threats and/or controls. Risk-based approach e. g. - for each control missing from the system, assess the risk of related threats. Select the control if those threats are high risk. Security evaluation (e. g. audit checklist, or hardware marketing tool for vendors) Checklists may be vendor-controlled (if used as a hardware marketing tool) Best practices approach assumes all threats are equally significant risks. Information security management bs iso iec 17799:2005 sans audit check list.