1.3. An Approach to Information Security Risk Evaluations

An information security risk evaluation must identify both organizational and technological issues to be effective. It must address both the computing infrastructure and the way in which people use it as they perform their jobs. Thus, an evaluation needs to incorporate the context in which people use the infrastructure to meet the business objectives of the organization as well as technological security issues related to the infrastructure. It must consider what makes the organization succeed and what makes it fail.

We view using information security risk evaluations to improve an organization's security posture as a sound business practice. Since most organizations rely upon access to ...

Get Managing Information Security Risks: The OCTAVESM Approach now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.