Informationssicherheit – ohne methodische Risikoidentifizierung ist alles Nichts
详细信息    查看全文
文摘
Information security is not an IT problem and cannot be reduced to the IT department. Effective protection of confidentiality, integrity and availability must be anchored throughout the organization. To address this challenge efficiently, a risk-based approach is required. To this end, the organizational context must first be determined. When applying the risk management process, the quality of risk identification is crucial. Risks that are not identified here are missing in the subsequent risk analysis and risk evaluation and thus also in risk treatment. There are various approaches for methodological risk identification, two of which are presented: the predominantly effect-oriented event-based approach, and the cause-oriented approach based on the consideration of assets, threats and vulnerabilities. In order to implement risk identification in practice, various prerequisites must be fulfilled. It is crucial that top management takes its leadership role comprehensively and effectively. The key challenge is to keep the scope of risk identification manageable. To this end, the approaches of focusing and coarsening have proved successful in practice. Irrespective of the chosen approach to risk identification, a profound assessment capacity is essential. By means of the process of continual improvement, an initially high level but clear picture of the information security risks can be refined step by step and adapted to the current requirements and threats.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700