Combine Information Security Risk Management Components Into One Program
With great risk management comes a great security program.
Book This Workshop
A lack of risk assessments or having informal risk processes can result in:
- Unintentional risk acceptance.
- Poor strategic planning of mitigating controls.
- Confusion about how one project’s risk relates to another.
A formal, standardized risk assessment process leads to:
- A defensible and repeatable risk assessment model.
- Security controls designed to prevent risk associated with a particular project.
- Informed risk decisions, rather than reliance on hunches.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book NowModule 1: Establish the Risk Environment
The Purpose
- Build the foundation needed for a security risk management program.
- Define roles and responsibilities of the risk executive.
- Define an information security risk tolerance level.
Key Benefits Achieved
- Clearly defined roles and responsibilities.
- Defined risk tolerance level.
Activities: | Outputs: | |
---|---|---|
1.1 | Define the security executive function RACI chart. |
|
1.2 | Assess business context for security risk management. |
|
1.3 | Standardize risk terminology assumptions. |
|
1.4 | Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level. |
|
1.5 | Decide on a custom risk factor weighting. |
|
1.6 | Finalize the risk tolerance level. |
|
1.7 | Begin threat and risk assessment. |
|
Module 2: Conduct Threat and Risk Assessments
The Purpose
- Determine when and how to conduct threat and risk assessments (TRAs).
- Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
- Developed process for how to conduct threat and risk assessments.
- Deep risk analysis for one or two IT projects/initiatives.
Activities: | Outputs: | |
---|---|---|
2.1 | Determine when to initiate a risk assessment. |
|
2.2 | Review appropriate data classification scheme. |
|
2.3 | Identify system elements and perform data discovery. |
|
2.4 | Map data types to the elements. |
|
2.5 | Identify STRIDE threats and assess risk factors. |
|
2.6 | Determine risk actions taking place and assign countermeasures. |
|
2.7 | Calculate mitigated risk severity based on actions. |
|
2.8 | If necessary, revisit risk tolerance. |
|
2.9 | Document threat and risk assessment methodology. |
|
Module 3: Continue to Conduct Threat and Risk Assessments
The Purpose
Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
Deep risk analysis for one or two IT projects/initiatives, as time permits.
Activities: | Outputs: | |
---|---|---|
3.1 | Continue threat and risk assessment activities. |
|
3.2 | As time permits, one to two threat and risk assessment activities will be performed as part of the workshop. |
|
3.3 | Review risk assessment results and compare to risk tolerance level. |
|
Module 4: Establish a Risk Register and Communicate Risk
The Purpose
- Collect, analyze, and aggregate all individual risks into the security risk register.
- Plan for the future of risk management.
Key Benefits Achieved
- Established risk register to provide overview of the organizational aggregate risk profile.
- Ability to communicate risk to other stakeholders as needed.
Activities: | Outputs: | |
---|---|---|
4.1 | Begin building a risk register. |
|
4.2 | Identify individual risks and threats that exist in the organization. |
|
4.3 | Decide risk responses, depending on the risk level as it relates to the risk tolerance. |
|
4.4 | If necessary, revisit risk tolerance. |
|
4.5 | Identify which stakeholders sign off on each risk. |
|
4.6 | Plan for the future of risk management. |
|
4.7 | Determine how to present risk to senior management. |
|