What is Risk Management?
Risk Management, in general, is a process aiming at an efficient balance between realizing opportunities for gains while minimizing vulnerabilities and losses. It is an integral part of management practice and an essential element of good corporate governance. Risk Management should be an endlessly recurring process consisting of phases which, when properly implemented, enable continuous improvement in decision-making and performance improvement.
Information Security (IS) Risk Management can be a part of an organization’s wider risk management process or can be carried out separately. Due to the fact that Information Technology in general (and Information Security in particular), incorporates state of the art technology that is continuously changing and expanding, it is recommended that IS Risk Management is established as a permanent process within the organization.
What is the purpose of this site?
Both within the documented ENISA tasks, and the resulting ENISA Work Programme 2006, several issues of Risk Management have been identified:
- Promotion of Risk Management activities within public and private sector organizations
- Generation of a "common language" in the area of Risk Management to facilitate communication of stakeholders
- Generation of surveys with overviews of existing methods tools and best practices
- Promotion of development of interoperable Risk Management solutions; integration of Risk Management/Risk Assessment with corporate governance
The purpose of this site is to contribute towards the first two points mentioned above. In doing so it presents processes and operational cycles pertinent to Risk Management and proposes guidelines that can improve the effectiveness of their implementation.
Further purpose of this site is to contribute towards the third point above, by providing with an initial survey on best practices by means of inventories of existing methods and tools. Inventories for existing Risk Management / Risk Assessment methods and tools will be maintained in the future by ENISA.
Finally, the last point above together with further emerging issues of Risk Management and Risk Assessment are prepared by means of a road map describing future ENISA actions in this areas.
It is worth mentioning, that this site contains information delivered by an ad hoc Working Group established by ENISA in the area of Risk Management / Risk Assessment [ENISA-WG]. This information has been appropriately integrated in the present text, whereas some of it is included in the attached inventories.
As ENISA focus is on information and network security, we mainly concentrate on Information Security (IS) Risk Management. If not otherwise noted, the terms Information Security Risk Management and Risk Management will be used in this site interchangeably.