Combine Security Risk Management Components Into One Program
- Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way.
- Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.
Our Advice
Critical Insight
- The best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
- All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.
Impact and Result
- Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.
- Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks.
- Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative.
- Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.
Combine Security Risk Management Components Into One Program Research & Tools
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.Besides the small introduction, subscribers and consulting clients within this management domain have access to:
- Combine Security Risk Management Components Into One Program – Phases 1-4
1. Establish the risk environment
Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.
- Combine Security Risk Management Components Into One Program – Phase 1: Establish the Risk Environment
- Security Risk Governance Responsibilities and RACI Template
- Risk Tolerance Determination Tool
- Risk Weighting Determination Tool
2. Conduct threat and risk assessments
Define frequency and impact rankings then assess the risk of your project.
- Combine Security Risk Management Components Into One Program – Phase 2: Conduct Threat and Risk Assessments
- Threat and Risk Assessment Process Template
- Threat and Risk Assessment Tool
3. Build the security risk register
Catalog an inventory of individual risks to create an overall risk profile.
- Combine Security Risk Management Components Into One Program – Phase 3: Build the Security Risk Register
- Security Risk Register Tool
4. Communicate the risk management program
Communicate the risk-based conclusions and leverage these in security decision making.
- Combine Security Risk Management Components Into One Program – Phase 4: Communicate the Risk Management Program
- Security Risk Management Presentation Template
- Security Risk Management Summary Template
Workshop: Combine Security Risk Management Components Into One Program
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
1 Establish the Risk Environment
The Purpose
Build the foundation needed for a security risk management program.
Define roles and responsibilities of the risk executive.
Define an information security risk tolerance level.
Key Benefits Achieved
Clearly defined roles and responsibilities.
Defined risk tolerance level.
Activities
1.1 Define the security executive function RACI chart.
1.2 Assess business context for security risk management.
1.3 Standardize risk terminology assumptions.
1.4 Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.
1.5 Decide on a custom risk factor weighting.
1.6 Finalize the risk tolerance level.
1.7 Begin threat and risk assessment.
Outputs
Defined risk executive functions
Risk governance RACI chart
Defined quantified risk tolerance and risk factor weightings
2 Conduct Threat and Risk Assessments
The Purpose
Determine when and how to conduct threat and risk assessments (TRAs).
Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
Developed process for how to conduct threat and risk assessments.
Deep risk analysis for one or two IT projects/initiatives.
Activities
2.1 Determine when to initiate a risk assessment.
2.2 Review appropriate data classification scheme.
2.3 Identify system elements and perform data discovery.
2.4 Map data types to the elements.
2.5 Identify STRIDE threats and assess risk factors.
2.6 Determine risk actions taking place and assign countermeasures.
2.7 Calculate mitigated risk severity based on actions.
2.8 If necessary, revisit risk tolerance.
2.9 Document threat and risk assessment methodology.
Outputs
Define scope of system elements and data within assessment
Mapping of data to different system elements
Threat identification and associated risk severity
Defined risk actions to take place in threat and risk assessment process
3 Continue to Conduct Threat and Risk Assessments
The Purpose
Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
Deep risk analysis for one or two IT projects/initiatives, as time permits.
Activities
3.1 Continue threat and risk assessment activities.
3.2 As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.
3.3 Review risk assessment results and compare to risk tolerance level.
Outputs
One to two threat and risk assessment activities performed
Validation of the risk tolerance level
4 Establish a Risk Register and Communicate Risk
The Purpose
Collect, analyze, and aggregate all individual risks into the security risk register.
Plan for the future of risk management.
Key Benefits Achieved
Established risk register to provide overview of the organizational aggregate risk profile.
Ability to communicate risk to other stakeholders as needed.
Activities
4.1 Begin building a risk register.
4.2 Identify individual risks and threats that exist in the organization.
4.3 Decide risk responses, depending on the risk level as it relates to the risk tolerance.
4.4 If necessary, revisit risk tolerance.
4.5 Identify which stakeholders sign off on each risk.
4.6 Plan for the future of risk management.
4.7 Determine how to present risk to senior management.
Outputs
Risk register, with an inventory of risks and a macro view of the organization’s risk
Defined risk-based initiatives to complete
Plan for securing and managing the risk register