2.2 Risk Management 27
Chapter 2
Certification results in a set of reports that support the accreditation
decision. If the certification documentation is complete and all require-
ments are adequately met, the process moves to the accreditation step.
2.1.2 Accreditation
At this point in the process, the system design is reviewed for completeness
and compliance to requirements. If the design is not complete, or if the cer-
tification documentation indicates that not all requirements are adequately
met by the design, the risk management process returns to the preparation
step in order to adjust the system design. Accreditation represents approval
to operate a system. Accreditation is the formal declaration by the responsi-
ble manager that the system is approved under specified controls and oper-
ating procedures. It signifies official acceptance of residual risk by
responsible organizational management.
2.2 Risk Management
Risk management encompasses three processes: risk assessment, risk mitiga-
tion, and risk evaluation. The risk assessment process includes identification
and evaluation of risks and risk impacts, and recommendation of risk-
reducing measures. Risk mitigation refers to prioritizing, implementing,
and maintaining the appropriate risk-reducing measures recommended
from the risk assessment process. Generally, a risk evaluation is performed
by a risk manager (see below) who is responsible for determining whether
the remaining risk is at an acceptable level or whether additional security
controls should be implemented to further reduce or eliminate the residual
risk before authorizing (or accrediting) the mitigation measure for opera-
tional use.
Risk management is a process that allows managers to balance opera-
tional and economic costs of protective measures and achieve gains in mis-
sion capability by protecting the resources that support their organizational
mission(s). This process is not unique to the IT environment. It pervades
decision making in all areas of our daily lives. Take the case of home secu-
rity, for example. Many people decide to have home security systems
installed and pay a monthly fee to a service provider to have these systems
monitored for the better protection of their property. Presumably, the
homeowners have weighed the cost of system installation and monitoring
against the value of their household goods and their familys safety, a funda-
mental “mission” need.

Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.