帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)IT业中的风险管理.(IT Risk management)要求;有概述,分部阐述,和总结.字数不少于1000.坚决抵制翻译软件.
来源:学生作业帮助网 编辑:六六作业网 时间:2024/12/26 01:16:26
帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)IT业中的风险管理.(IT Risk management)要求;有概述,分部阐述,和总结.字数不少于1000.坚决抵制翻译软件.
帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)
IT业中的风险管理.(IT Risk management)
要求;有概述,分部阐述,和总结.
字数不少于1000.
坚决抵制翻译软件.
帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)IT业中的风险管理.(IT Risk management)要求;有概述,分部阐述,和总结.字数不少于1000.坚决抵制翻译软件.
Risk management in the IT industry
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.
Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions. This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives.
An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
So, who should be involved in risk management of an organization?
Personnel who should support and participate in the risk management process are:-
• Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management.
• Chief Information Officer (CIO). The CIO is responsible for the agency’s IT
planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.
• System and Information Owners. The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. The system and information owners must therefore understand their role in the risk management process and fully support this process.
• Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk
management process. These managers are the individuals with the authority and
responsibility for making the trade-off decisions essential to mission accomplishment. Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.
• ISSO. Information System Security Officer and computer security officers are responsible for their organizations’ security programs, including risk management. Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions.
• IT Security Practitioners. IT security practitioners (e.g., network, system,
application, and database administrators; computer specialists; security analysts;
security consultants) are responsible for proper implementation of security
requirements in their IT systems. As changes occur in the existing IT system
environment (e.g., expansion in network connectivity, changes to the existing
infrastructure and organizational policies, introduction of new technologies), the IT
security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to
safeguard their IT systems.
• Security Awareness Trainers (Security/Subject Matter Professionals). The
organization’s personnel are the users of the IT systems. Use of the IT systems and
data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.
Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions. A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities.
Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment.
Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC (System Development Life Cycle). The risk assessment methodology encompasses nine primary steps, which are
• Step 1System Characterization
• Step 2Threat Identification
• Step 3Vulnerability Identification
• Step 4Control Analysis
• Step 5Likelihood Determination
• Step 6Impact Analysis
• Step 7Risk Determination
• Step 8Control Recommendations , and
• Step 9Results Documentation
Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
When control actions must be taken, the following rule applies:
Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities.
The following risk mitigation methodology describes the approach to control implementation:
• Step 1Prioritize Actions
Based on the risk levels presented in the risk assessment report, the implementation
actions are prioritized.
• Step 2Evaluate Recommended Control Options
The controls recommended in the risk assessment process may not be the most
appropriate and feasible options for a specific organization and IT system. The objective is to select the most appropriate control option for minimizing risk.
• Step 3Conduct Cost-Benefit Analysis
To aid management in decision making and to identify cost-effective controls, a cost benefit analysis is conducted.
• Step 4Select Control
On the basis of the results of the cost-benefit analysis, management determines the
most cost-effective control(s) for reducing risk to the organization’s mission. The
controls selected should combine technical, operational, and management control
elements to ensure adequate security for the IT system and the organization.
• Step 5Assign Responsibility
Appropriate persons (in-house personnel or external contracting staff) who have the
appropriate expertise and skill-sets to implement the selected control are identified,
and responsibility is assigned.
• Step 6Develop a Safeguard Implementation Plan
During this step, a safeguard implementation plan (or action plan) is developed. The plan should, at a minimum, contain the following information:
– Risks and associated risk levels
– Recommended controls
– Prioritized actions (with priority given to items with Very High and High risk
levels)
– Selected planned controls (determined on the basis of feasibility, effectiveness,
benefits to the organization, and cost)
– Required resources for implementing the selected planned controls
– Lists of responsible teams and staff
– Start date for implementation
– Target completion date for implementation
–Maintenance requirements.
• Step 7Implement Selected Control(s)
Depending on individual situations, the implemented controls may lower the risk
level but not eliminate the risk.
In implementing the above recommended controls to mitigate risk, an organization should consider technical, management, and operational security controls, or a combination of such controls, to maximize the effectiveness of controls for their IT systems and organization. Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission.
And now we come to the last process but not the least, EVALUATION AND ASSESSMENT.
In most organizations, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new risks will surface and risks previously mitigated may again become a concern. Thus, the risk management process is ongoing and evolving.
To put in a nutshell, a successful risk management program will rely on
(1) senior management’s commitment;
(2) the full support and participation of the IT team ;
(3) the competence of the risk assessment team, which must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organization;
(4) the awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of their organization; and
(5) an ongoing evaluation and assessment of the IT-related mission risks.
Thank you very much for your attention!
上述内容的大体意思如下:
1、2、3 段:数字化时代,企业和组织的运作已离不开IT系统,因此对它的风险管理变得非常重要.风险管理就是找到维护系统安全与费用开销平衡的手段.一个有效的风险管理是维护系统的安全操作来完成企业的目标而不是仅仅维护IT资产;因此必须将它视为一个主要的管理功能来对待.
4、5、6段:这里列举与风险管理挂钩的人员与部门,并强调要有良好的方法来发挥有限的管理预算,才能有效地达到目的.
7、8、9、10、11段:IT风险管理涵盖三大步骤:风险评估、风险缓解及评价与判断.风险评估通过9个步骤来判定在IT系统的发展寿命周期中的所有风险和其严重性,然后做出控制选择.风险缓解是阐述如何以最低的花费来达到最高的效果,这里列举了7个步骤.第三就是评价与判断;随着时间的转移,多数企业的网络都会扩容或更新,软硬件也会更换或升级,人员的调整及安全措施的改变,这些都会产生新的风险.因此,风险管理是永无休止和不停进展的.
12段:最后总结,一个成功的风险管理计划有5个重点:1.高层的决心;2.IT队伍的全力支持及参与;3.风险评估队的专业能力;4. 使用人员按规定操作;5. 不停的对IT风险作评估与判断.
参考资料:http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
最好能有可供翻译的原稿。