The development of technology has without a doubt improved the means wherein information is accessed, processed, stored, and retrieved. Today, information can be obtained from anywhere in the world and even on distant planets, processed and stored at a central location, and retrieved from another location within a matter of minutes.

However, with the means to readily access information improving, the risk to information security also increases. Information Risk Management is a system to which these risks are identified, classified, and protected against.

The first part in information risk management is to identify the threats to the information being protected. These threats could include:

Intentional Disclosure

This is when protected information is retrieved by an inside source and intentionally provided to unauthorised persons or organisations. This could be achieved by altering software or releasing access codes intentionally.

Unintentional Disclosure

Accidents do happen. Protected information may be leaked unintentionally to unauthorised persons or organisations.

Acts of Nature

Earthquakes, tornados, hurricanes and other acts of nature can potentially destroy information storage and processing equipment.

Once the threats have been identified, vulnerabilities also need to be found. Information can be vulnerable in so many different ways.

  • Security procedures may not be clearly defined.
  • A contingency plan may not be in place or if so, may not be distributed to affected sectors effectively.
  • Not everybody in an organisation may be adequately trained in contingency measures.
  • The system may lack back-up capabilities.
  • Disaster recovery procedures may not be in place.
  • The lack of alternate processing locations can also make the system vulnerable.

It is important in Information Risk Management to identify the threats and identify the possible vulnerabilities of the system. Once a deeper understanding of the risks is achieved, a plan to manage these risks can be formulated and implemented.

It is also imperative in Information Risk Management that the risks and vulnerabilities that are identified be communicated to the affected departments. This would usually mean all of the departments within an organisation. Managers need to be aware of the risks and vulnerabilities and so do every other personnel.

In fact, proper communication is the key to preventing many threats to information security. If everybody within the organisation is completely aware of the risks and how to minimize them, then managing the risks is a lot easier.

In many organisations it is the responsibility of the Information Technology (IT) department to manage the risks to information. However, in many cases, this responsibility may be outsourced in part or as a whole to an information security agency.

In a time where information can be easily accessed with the right technology, the risk of unauthorised access becomes greater. Before, information could only be accessed through wired connections. Now, wireless connectivity is widely available and this makes it more challenging to protect information on a network.

Electronic Data Management Systems need to be carefully scrutinized to ensure the protection of information that they process and store. Without the proper security measures in place, the risk of information falling into the wrong hands becomes greater.