Define the Information Security Risk Tolerance Level

Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

Most organizations make risk decisions informally, based on individual understanding of corporate culture or what they think is best.
Many security professionals are put in an impossible situation – to meet the risk reduction target without a clear understanding of what that target is.
Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.

Our Advice

Critical Insight

Don’t think about threats or vulnerabilities. We cannot control what threats or vulnerabilities are out there, so to build the security program around something so unpredictable will not lead to good results.
Rather, think about business impact – regardless of what causes it, there are certain severe business impacts we will always want to avoid, and other less severe events that we would accept up to a certain frequency. These factors can be reliably identified and provide critical insight for effective risk-based decisions.
All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.
Consider all impact. Think about more than just informational impact – consider functional and recoverability impact as well.

Impact and Result

Define an executive risk function.
Determine organizational risk culture.
Create a defensible risk tolerance level for your organization.
Leverage quantified risk tolerance level of broader risk management activities.

Define the Information Security Risk Tolerance Level Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should define an information security risk tolerance level and understand Info-Tech’s methodology to support you in completing this project.

Define the Information Security Risk Tolerance Level – Executive Brief

1. Define the risk executive function

Define our risk-framing responsibilities and accountabilities.

2. Assess the risk culture

Perform a lightweight assessment of management and employee risk culture.

3. Define risk assumptions

Define the organizational understanding of risk, assess risk scenarios, define your overall risk tolerance, and manage your macro risk exposure.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

The Rehmann Group LLC

Guided Implementation

10/10

$2,546

Workshop: Define the Information Security Risk Tolerance Level

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess the Risk Culture and Responsibilities

The Purpose

Discuss the general business requirements and obligations towards risk.
Understand and agree on risk responsibilities and duties.
Define and discuss security assumptions for frequency/impact.

Key Benefits Achieved

Clear understanding of risk language and responsibilities across the organization
Defined risk statement and IT mandate

Activities

Outputs

1.1

Define the security executive function RACI chart.

Defined IT mandate

1.2

Assess employee and management risk culture.

IT and Business Leadership Alignment Report

1.3

Standardize impact and risk assumption terminology.

Information Security Risk Statement

1.4

Define risk requirements and risk frequency/impact thresholds.

Business Leadership Communication and Reporting Plan

Module 2: Define Risk Tolerance

The Purpose

Use risk definitions and understanding to define micro risk tolerance.
Define and discuss organizational risk tolerance for collective macro risk, and high-level strategy for macro risk management.

Key Benefits Achieved

Quantified definition for micro risk tolerance
Quantified methodology for risk impact analysis
Understanding and management method for macro risk

Activities

Outputs

2.1

Perform risk scenario assessment.

Risk Tolerance Determination Tool

2.2

Define and discuss organizational micro risk tolerance.

2.3

Define and discuss macro risk tolerance and macro risk management methodology.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define the risk executive function

Call 1: Review project steps and deliverables and confirm project methodology appropriateness.
Call 2: Customize and complete the risk executive RACI chart.