Get Instant Access
to This Blueprint

Security icon

Combine Security Risk Management Components Into One Program

With great risk management comes a great security program.

  • Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way.
  • Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.

Our Advice

Critical Insight

  • The best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
  • All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.

Impact and Result

  • Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.
  • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks.
  • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative.
  • Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.

Combine Security Risk Management Components Into One Program Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Combine Security Risk Management Components Into One Program – Executive Brief
Combine Security Risk Management Components Into One Program – Phases 1-4

1. Establish the risk environment

Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.

Combine Security Risk Management Components Into One Program – Phase 1: Establish the Risk Environment
Security Risk Governance Responsibilities and RACI Template
Risk Tolerance Determination Tool
Risk Weighting Determination Tool

3. Build the security risk register

Catalog an inventory of individual risks to create an overall risk profile.

Combine Security Risk Management Components Into One Program – Phase 3: Build the Security Risk Register
Security Risk Register Tool

4. Communicate the risk management program

Communicate the risk-based conclusions and leverage these in security decision making.

Combine Security Risk Management Components Into One Program – Phase 4: Communicate the Risk Management Program
Security Risk Management Presentation Template
Security Risk Management Summary Template

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.0/10

Overall Impact

$29,313

Average $ Saved

24

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Soboba Band of Luiseno Indians

Guided Implementation

10/10

$11,699

4

EBSCO Industries Inc

Guided Implementation

10/10

$6,499

8

Jon was an amazing partner to work with. His knowledge and expertise were essential to our success in establishing a more rigid Risk Management Pr... Read More

Seneca Gaming Corporation

Workshop

8/10

$12,999

10

Primary benefits of the workshop to SGC: 1 - Opportunity to formally introduce concepts to senior management. It is often helpful when a third-p... Read More

AgHeritage Farm Credit Services d/b/a Insight Technology Unit (ITU)

Workshop

8/10

$30,549

10

I attended a workshop recently that was truly excellent. The leader, Fritz, had a deep understanding of our specific needs and was able to guide us... Read More

UCLA

Workshop

5/10

N/A

N/A

The Stride model and tool were not explained at the beginning of the sessions. I was not clear on the methodology or intended outcomes. The initi... Read More

Diamond Trading Company Botswana (PTY) LTD.

Workshop

10/10

$12,999

10

The best part was that the consultant was very knowledgeable in all aspect of information security and was very engaging and encouraging participat... Read More

UCLA

Workshop

9/10

N/A

32

The best part was our facilitator. She was great. There was no "worst part". The workshop exceeded my expectations.

UCLA

Workshop

10/10

$64,999

20

Coordinating discussion among different teams and helping us identify gaps

Camosun College

Guided Implementation

10/10

$25,000

20

No worst part, these tools take time to work through. The benefits of a structured threat and risk assessment using the STRIDE model is fantastic! ... Read More

California Department of Human Resources

Guided Implementation

10/10

$113K

115

The best part of the experience was the invaluable assistance and advice provided by the analyst, Ian both in terms of research assistance, and in ... Read More

American Transmission Company

Guided Implementation

8/10

$2,393

5

Tools and templates are great.

STERIS Corporation

Guided Implementation

10/10

$12,599

29

Ian is a joy to work with. He really takes the time to tailor the work around progressing programs with actionable items each meeting to improve th... Read More

State of Hawaii – ETS

Guided Implementation

10/10

$64,999

50

Good: - helped realign priorities - will revisit once we've establish a more solid baseline on security program

London Health Sciences Centre and St. Joseph’s Health Care, London

Guided Implementation

9/10

$10,000

5

Overall understanding of problem and some suggestions for a brainstormed solution.

Southwest Gas Corporation

Guided Implementation

10/10

$125K

20

Ian if very knowledgeable about your product as well as risk. He listens well and provides great feedback. We see Ian as a great resource and con... Read More

Atlantic Canada Opportunities Agencies

Guided Implementation

8/10

$47,500

10

Very good feedback. Open discussions. Varied ideas. Strong focus on IT less pertinent to my role, but nonetheless useful. Services are very appr... Read More

Canadian National Railway

Guided Implementation

10/10

$2,000

5

Blessing Hospital

Guided Implementation

8/10

N/A

N/A

Good discussion and follow-up call with additional analyst and different blueprint that may be more targeted towards Dr. Siddiqui's interest.

Blessing Hospital

Guided Implementation

10/10

N/A

N/A

Can't estimate the savings at this point however call exceeded expectations in research material being able to solve the business problem at hand.

California Department of Corrections & Rehabilitation

Guided Implementation

9/10

N/A

N/A

Federal Home Loan Bank of Chicago

Guided Implementation

10/10

N/A

N/A

I loved talking with Ian about risk philosophy! He helped me put together a risk tolerance and risk register for my organization that was focused ... Read More

Nakisa Inc.

Workshop

8/10

N/A

20

All was good.

The Ottawa Hospital

Guided Implementation

10/10

$11,500

10

British Columbia Transit

Workshop

8/10

$50,000

20

California Department of Corrections & Rehabilitation

Guided Implementation

9/10

N/A

N/A

Great insight on how to work through the program steps. Lots of knowledge and advice on what's important and whether a methodical or practical app... Read More

Apria Healthcare

Guided Implementation

8/10

N/A

N/A

Colonial Savings, F.A.

Guided Implementation

10/10

$764K

10

Ian did a great job of understanding what I was trying to accomplish and modifying the process for my needs.

BWX TECHNOLOGIES, INC.

Guided Implementation

9/10

N/A

N/A

Load More Testimonials

Workshop: Combine Security Risk Management Components Into One Program

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Risk Environment

The Purpose

  • Build the foundation needed for a security risk management program.
  • Define roles and responsibilities of the risk executive.
  • Define an information security risk tolerance level.

Key Benefits Achieved

  • Clearly defined roles and responsibilities.
  • Defined risk tolerance level.

Activities

Outputs

1.1

Define the security executive function RACI chart.

  • Defined risk executive functions
1.2

Assess business context for security risk management.

  • Risk governance RACI chart
1.3

Standardize risk terminology assumptions.

  • Defined quantified risk tolerance and risk factor weightings
1.4

Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.

1.5

Decide on a custom risk factor weighting.

1.6

Finalize the risk tolerance level.

1.7

Begin threat and risk assessment.

Module 2: Conduct Threat and Risk Assessments

The Purpose

  • Determine when and how to conduct threat and risk assessments (TRAs).
  • Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

  • Developed process for how to conduct threat and risk assessments.
  • Deep risk analysis for one or two IT projects/initiatives.

Activities

Outputs

2.1

Determine when to initiate a risk assessment.

2.2

Review appropriate data classification scheme.

2.3

Identify system elements and perform data discovery.

  • Define scope of system elements and data within assessment
2.4

Map data types to the elements.

  • Mapping of data to different system elements
2.5

Identify STRIDE threats and assess risk factors.

  • Threat identification and associated risk severity
2.6

Determine risk actions taking place and assign countermeasures.

  • Defined risk actions to take place in threat and risk assessment process
2.7

Calculate mitigated risk severity based on actions.

2.8

If necessary, revisit risk tolerance.

2.9

Document threat and risk assessment methodology.

Module 3: Continue to Conduct Threat and Risk Assessments

The Purpose

Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

Deep risk analysis for one or two IT projects/initiatives, as time permits.

Activities

Outputs

3.1

Continue threat and risk assessment activities.

3.2

As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.

  • One to two threat and risk assessment activities performed
3.3

Review risk assessment results and compare to risk tolerance level.

  • Validation of the risk tolerance level

Module 4: Establish a Risk Register and Communicate Risk

The Purpose

  • Collect, analyze, and aggregate all individual risks into the security risk register.
  • Plan for the future of risk management.

Key Benefits Achieved

  • Established risk register to provide overview of the organizational aggregate risk profile.
  • Ability to communicate risk to other stakeholders as needed.

Activities

Outputs

4.1

Begin building a risk register.

  • Risk register, with an inventory of risks and a macro view of the organization’s risk
4.2

Identify individual risks and threats that exist in the organization.

4.3

Decide risk responses, depending on the risk level as it relates to the risk tolerance.

4.4

If necessary, revisit risk tolerance.

4.5

Identify which stakeholders sign off on each risk.

4.6

Plan for the future of risk management.

  • Defined risk-based initiatives to complete
4.7

Determine how to present risk to senior management.

  • Plan for securing and managing the risk register
Unlock This Blueprint

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.0/10
Overall Impact

$29,313
Average $ Saved

24
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Establish the risk environment
  • Call 1: Discuss current risk management processes in the organization.
  • Call 2: Identify the organizational risk tolerance.

Guided Implementation 2: Conduct threat and risk assessments
  • Call 1: Build data element inventory.
  • Call 2: Identify STRIDE threats.
  • Call 3: Assign countermeasures and review final results.

Guided Implementation 3: Build the security risk register
  • Call 1: Establish a risk register and review risk assessment methodology.

Guided Implementation 4: Communicate the risk management program
  • Call 1: Review what reporting requirements are necessary per your risk management program.

Authors

Cameron Smith

Filipe De Souza

Ian Mulholland

Related Content: Governance, Risk & Compliance

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019
© Info-Tech Research Group | Terms of Use | Privacy Policy