Discover

Taking stock -- Photo courtesy of orangeacid at flickr.com (http://www.flickr.com/photos/orangeacid/) The essence of risk management with regard to information assets:

Know what you have and what it's worth to you or your organization.

As you catalog your assets, consider the importance of each of these aspects: availability, confidentiality and integrity.

What happens if the resource is no longer available?

What happens if the resource is no longer a secret or becomes too widely available?

What happens if the resource is wrong, due to human error or malfeasance?

Rank the importance of each of these aspects for each information asset.

Monitor and Defend

Monitor and defend -- Photo courtesy of orangeacid at flickr.com (http://www.flickr.com/photos/orangeacid/921171607/) Once you have identified all your critical assets and ranked the importance of CIA for each, seek solutions that will enable you to preserve those characteristics.

But make sure the solutions don't cost more than the given asset is worth or you've lost.

Do your homework (emphasis on "work"), meet with vendors, consultants, talk to colleagues, gather information, build a plan to address each aspect of CIA for each asset.

Implement your plan. Monitor the implementation, audit, test, evaluate, correct, repeat.

Respond

Respond -- Photo courtesy of DeusXFlorida flickr.com (http://www.flickr.com/photos/8363028@N08) Security is a never ending process, not a product you can buy. No solution will completely eliminate the possibility of something bad happening.

We're managing risk, not playing Don Quixote.

It is vital to have an incident response plan in place before something bad happens. Practice your plan, evaluate and adjust.

Learn your lessons, lick your wounds, get back to business.