Information Security & Risk Management

When considering IT security, an organization must judge the level of that security based on the level of risk to the organization. An example would be two organizations with a presence on the Internet. One is a small religious congregation with a simple website used to communicate its mission with parishioners. The other is an eCommerce site transacting multi-millions of dollars in business annually. While hacking is possible with both websites, the level of intrusion by an outside party is likely more significant with the eCommerce website than it is with the religious site.

Risk management is an integral part of an information security program. It provides the foundation for building an adequate response at a level sufficient enough to support the organizational objectives while not hindering them (Peltier, 2013). Doing a risk-assessment allows the organization to build a cost-effective IT security system that protects the vital information of the organization. Conducting risk-assessment early in the development of the information system avoids the cost of having to retrofit down the road due to an unknown risk. It allows for the alignment of information security with business objectives. Risk assessment is the business process of identifying threats and the impact of those threats (Layton, 2016).

Senior management must be involved and be in total support of the development of an IT security system and be primarily involved with the risk assessment. As the mission owners, they will be in the best position to identify potential risks as well as determining the risk level. It is important to note that risk assessment is a business function, not an IT function. It can only devise the technical solution to what the business identifies what needs protecting. From the risk assessment, we can develop the policies needed to govern the security of the information system.

The risk assessment will identify vulnerabilities, while risk management will identify which techniques to use to protect against them.


AT Kearney. (n.d.). The Golden Rules of Operational Excellence in Information Security Management. Retrieved April 7, 2019, from

Layton, T. P. (2016). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: CRC Press.

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition. Boca Raton, FL: CRC Press.

Originally published at



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Richard Garling

Senior Project Mgr; Masters in IT Mgt/Project Mgt; writer on Project Mgt topics and politics; political organizer. Project Manager III @ Bradford Group