Security management is the identification of an organization's assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets.
Contents
- Loss prevention
- Security risk management
- External
- Internal
- Risk avoidance
- Risk reduction
- Risk spreading
- Risk transfer
- Risk acceptance
- Intrusion detection
- Access control
- Physical security
- Procedures
- References
An organisation uses such security management procedures as information classification, risk assessment, and risk analysis to identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective controls.
Loss prevention
Loss prevention is focuses on what your critical assets are and how you are going to protect them. A key component to loss prevention is assessing the potential threats to the successful achievement of the goal. This must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures to minimize or eliminate those threats.
Security risk management
Management of security risks applies the principles of risk management to the management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing controls to face those threats, determining the risks' consequence(s), prioritizing the risks by rating the likelihood and impact, classifying the type of risk and selecting an appropriate risk option or risk response.
External
Internal
Risk avoidance
The first choice to be considered. The possibility of eliminating the existence of criminal opportunity or avoiding the creation of such an opportunity is always the best solution, when additional considerations or factors are not created as a result of this action that would create a greater risk. As an example, removing all the cash from a retail outlet would eliminate the opportunity for stealing the cash–but it would also eliminate the ability to conduct business.
Risk reduction
When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the next step is the reduction of the opportunity and potential loss to the lowest level consistent with the function of the business. In the example above, the application of risk reduction might result in the business keeping only enough cash on hand for one day’s operation.
Risk spreading
Assets that remain exposed after the application of reduction and avoidance are the subjects of risk spreading. This is the concept that limits loss or potential losses by exposing the perpetrator to the probability of detection and apprehension prior to the consummation of the crime through the application of perimeter lighting, barred windows and intrusion detection systems. The idea here is to reduce the time available to steal assets and escape without apprehension
Risk transfer
Transferring risks to other alternatives when those risks have not been reduced to acceptable levels. The two primary methods of accomplishing risk transfer are to insure the assets or raise prices to cover the loss in the event of a criminal act. Generally speaking, when the first three steps have been properly applied, the cost of transferring risks is much lower.
Risk acceptance
All remaining risks must simply be assumed by the business as a risk of doing business. Included with these accepted losses are deductibles which have been made as part of the insurance coverage.
Intrusion detection
illish ase?