Get Instant Access
to This Blueprint

Security icon

Develop and Implement a Security Risk Management Program

With great risk management comes a great security program.

  • To build an information security program, the organization must have a strong understanding of the risks it faces to help prioritize the controls or initiatives.
  • Security risk is often difficult for business leaders to understand, as it falls out of the realm of their typical expertise.
  • There is no one universal framework or methodology that can be used when it comes to risk management.
  • Much of assessing and managing risk comes from making assumptions around certain threats, which are often weakly informed.

Our Advice

Critical Insight

  • The best security programs are built on defensible risk management. These can ensure security decisions are made based on risk reduction benefit instead of frameworks alone.
  • All risks can be quantified and incorporated into Info-Tech’s defensible model.
  • Security risk management allows organizations to go from security uncertainty to saying confidently whether or not they are providing the correct level of security.

Impact and Result

  • Develop a security risk management program to properly assess and manage the risks that affect your information systems.
  • Tie together all the aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.
  • Move away from framework-driven security programs and build a program that is based on the unique risk profile of your organization.
  • Use Info-Tech’s Security Risk Register Tool to track all the different threats to the organization and understand what is above or below an acceptable level of risk.

Develop and Implement a Security Risk Management Program

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Establish the risk environment

Lay the foundation for security risk management, including roles and responsibilities and a defined risk tolerance level.

2. Build the security risk register

Catalog an inventory of individual risks to create an overall risk profile.

3. Manage and communicate the risk register results

Communicate the risk-based conclusions and leverage these in security decision making.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Multnomah County

Workshop

9/10

$117K

N/A


Onsite Workshop: Develop and Implement a Security Risk Management Program

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Risk Environment

The Purpose

  • Build the foundation needed for a security risk management program.
  • Define roles and responsibilities of the risk executive.
  • Define an information security risk tolerance level.

Key Benefits Achieved

  • Clearly defined roles and responsibilities.
  • Defined risk tolerance level.

Activities

Outputs

1.1

Define the security executive function RACI chart.

  • Defined roles and responsibilities for the risk executive
1.2

Assess your organizational risk culture.

1.3

Perform a cursory assessment of management risk culture.

1.4

Standardize impact terminology.

  • Standardized impact terminology to be used throughout the risk model
1.5

Define frequency or impact thresholds outside of individual risk tolerance level.

  • Defined frequency and impact thresholds to be used throughout the risk model
1.6

Evaluate risk scenarios to determine your micro risk tolerance level.

1.7

Optimize the sensitivity of your screening test.

1.8

Decide on a custom weighting.

1.9

Finalize the risk tolerance level.

  • Defined risk tolerance level
1.10

Define macro risk tolerance level.

Module 2: Conduct Threat and Risk Assessments

The Purpose

  • Determine when and how to conduct threat and risk assessments (TRAs).
  • Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

  • Developed process for how to conduct threat and risk assessments.
  • Deep risk analysis for one or two IT projects/initiatives, as time permits.

Activities

Outputs

2.1

Determine when to initiate a risk assessment and which project/initiative will be assessed.

  • Established criteria for when to conduct risk assessments
2.2

Review appropriate data classification scheme.

2.3

Identify system elements and perform data discovery.

  • Defined scope of the threat and risk assessment
2.4

Map data types to the elements.

2.5

Identify STRIDE threats and assign rankings.

  • Identified threats to the particular project and defined current severity level
2.6

Determine risk actions taking place and assign countermeasures.

  • Defined actions to review and/or reduce risk
2.7

Calculate mitigated risk severity based on actions.

  • Defined mitigated risk severity level
2.8

Review results and form risk-based decisions.

  • Final decisions made based upon the final risk assessment results

Module 3: Build a Security Risk Register

The Purpose

  • Collect, analyze, and aggregate all individual risks into the security risk register.
  • Plan for the future of risk management.

Key Benefits Achieved

  • Established risk register to provide overview of the organizational macro risk level.
  • Ability to communicate risk to other stakeholders as needed.

Activities

Outputs

3.1

Begin building a risk register.

  • Established risk register document
3.2

Identify risks and threats that exist in the organization.

  • Identification of risks beyond that of the TRAs alone
3.3

Identify which stakeholders sign off on each risk.

3.4

Review the aggregate risk level of the entire organization.

  • Understanding of the aggregate level of risk
3.5

Act upon risk results, depending on the aggregate level as it relates to the risk tolerance.

3.6

If necessary, revisit risk tolerance.

3.7

Plan for the future of risk management.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 3-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Establish the risk environment
  • Call #1 - Have a project kick-off call.
  • Call #2 - Establish risk management responsibilities.
  • Call #3 - Establish the information security risk tolerance.

Guided Implementation #2 - Build the security risk register
  • Call #1 - Begin building the risk register through risk identification.
  • Call #2 - Evaluate the risk results and review aggregate risk level.

Guided Implementation #3 - Manage and communicate the risk register results
  • Call #1 - Secure the risk register.
  • Call #2 - Communicate conclusions drawn from risk register.
  • Call #3 - Leverage risk conclusions in security decisions.

Contributors

  • Robert Banniza, Senior Director – IT Center Security, AMSURG
  • Robert Hawk, Information Security Expert, xMatters, inc
  • Joey LaCour, CISO, Colonial Savings, F.A.
  • Sky Sharma, Cyber Security Advocate
  • 1 additional anonymous contributor
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019