Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Management of Risks in Information Systems: Practices of Successful Organizations



Shirley M. Radack


This bulletin summarizes the findings of a U.S. General Accounting Office (GA)) study of the information security programs and management practices of eight non-federal organizations. The focus was on the management framework that the organizations had established. The organization studies applied five principles of risk management by linking them into a cycle of activity that enabled the organizations to address risks on an ongoing basis. The programs were successful because senior executives recognized and understood that their information systems were subject to risks and that these risks affected their business operations. The organizations established policies and selected controls. They emphasized increased awareness of users to the policies and controls. They monitored the effectiveness of the policies and controls and used the results to determine if modifications of policies and controls were needed. Central security management offices coordinated this cycle of activities.
ITL Bulletin -


General Accounting Office, information security, risk assessment, risk management, security awareness, security management, security policies, system vulnerabilities


Radack, S. (1998), Management of Risks in Information Systems: Practices of Successful Organizations, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 13, 2024)
Created March 19, 1998, Updated February 19, 2017