Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.
Define frequency and impact rankings then assess the risk of your project.
Catalog an inventory of individual risks to create an overall risk profile.
Communicate the risk-based conclusions and leverage these in security decision making.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Build the foundation needed for a security risk management program.
Define roles and responsibilities of the risk executive.
Define an information security risk tolerance level.
Clearly defined roles and responsibilities.
Defined risk tolerance level.
1.1 Define the security executive function RACI chart.
1.2 Assess business context for security risk management.
1.3 Standardize risk terminology assumptions.
1.4 Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.
1.5 Decide on a custom risk factor weighting.
1.6 Finalize the risk tolerance level.
1.7 Begin threat and risk assessment.
Defined risk executive functions
Risk governance RACI chart
Defined quantified risk tolerance and risk factor weightings
Determine when and how to conduct threat and risk assessments (TRAs).
Complete one or two TRAs, as time permits during the workshop.
Developed process for how to conduct threat and risk assessments.
Deep risk analysis for one or two IT projects/initiatives.
2.1 Determine when to initiate a risk assessment.
2.2 Review appropriate data classification scheme.
2.3 Identify system elements and perform data discovery.
2.4 Map data types to the elements.
2.5 Identify STRIDE threats and assess risk factors.
2.6 Determine risk actions taking place and assign countermeasures.
2.7 Calculate mitigated risk severity based on actions.
2.8 If necessary, revisit risk tolerance.
2.9 Document threat and risk assessment methodology.
Define scope of system elements and data within assessment
Mapping of data to different system elements
Threat identification and associated risk severity
Defined risk actions to take place in threat and risk assessment process
Complete one or two TRAs, as time permits during the workshop.
Deep risk analysis for one or two IT projects/initiatives, as time permits.
3.1 Continue threat and risk assessment activities.
3.2 As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.
3.3 Review risk assessment results and compare to risk tolerance level.
One to two threat and risk assessment activities performed
Validation of the risk tolerance level
Collect, analyze, and aggregate all individual risks into the security risk register.
Plan for the future of risk management.
Established risk register to provide overview of the organizational aggregate risk profile.
Ability to communicate risk to other stakeholders as needed.
4.1 Begin building a risk register.
4.2 Identify individual risks and threats that exist in the organization.
4.3 Decide risk responses, depending on the risk level as it relates to the risk tolerance.
4.4 If necessary, revisit risk tolerance.
4.5 Identify which stakeholders sign off on each risk.
4.6 Plan for the future of risk management.
4.7 Determine how to present risk to senior management.
Risk register, with an inventory of risks and a macro view of the organization’s risk
Defined risk-based initiatives to complete
Plan for securing and managing the risk register