Answer: among the many steps in information risk planning, below are the 5 basic steps:
• STEP 1: Identify the risk
• STEP 2: Analyze the risk
• STEP 3: Evaluate or rank the risk
• STEP 4: Treat the risk
• STEP 5: Monitor the risk.
I WILL NOT CONSIDER STEP THREE, BECAUSE I SEE ALL RISK TO BE THE SAME, THE ONE YOU ASSUME TO BE A HIGH RISK MAY NEVER OCCUR, WHILE THE ONE YOU ASSUME TO BE A LOW RISK MAY OCCUR FREQUENTLY. SO I WILL GIVE EQUAL ATTENTION TO ALL RISK IDENTIFIED.
In using this steps I have to take is orderly.
FIRST STEP: identifying the risk, in this first step I will have to identify all the risk that are involved in information security, which could be data lost from a computer or data theft from a personal computer.
SECOND STEP: Analyse the risk. I will study easy risk, how can data be stolen from an employee personal work computer, and how can data be lost from an employee work computer. To analyze this risk, data can be lost from an employee computer, if the system has been corrupted by a virus, if the system hard disc crash, if the system was mistakenly formated, and if the system is poorly maintained. Data can be stolen from a system if the system is been hacked, if the system has no password, and by stealing the hard disc in the system.
THIRD STEP: Evaluate or rank the risk. This is where you evaluate each risk, to know the high risk and the low risk, and to know the level of precaution to be used. I will not consider this step because I believe all risk are high and anyone can occurs any day, so the chance of all risk is the same, and the level of precaution to be taken in all risk should be the same.
FOURTH STEP: Treat the risk. In this step I will treat all the risk I discovered in the second step. For data security in terms of theft, special security code will be generated for all employee computer, which will be known only by the employee who use the computer. All staff are meant to leave the office when working hours is over, or work with the security personnel if the staff works overtime, to avoid theft of hard disc. Staffs will be educated to avoid clicking links from an unknown source, to avoid been hacked. For data security in terms of lost. All staff will back up their files in a cloud. All staff will be educated on the usage of computers to avoid formating the system by mistake. They will be an updated anti virus, to quarantine the system from virus, which can damage data.
FIFTH STEP: Monitor and review the risk. The risk will be monitored constantly, by updating virus always, changing of password to each system at least once in a month, monitoring each staff usage of the computer, updating the IT unit with recent technologies and softwares, updating the security on their duties. As the risk is been monitored, I will watch out for more risk to be identified.
