Combine Information Security Risk Management Components Into One Program

With great risk management comes a great security program.

Onsite Workshop

A lack of risk assessments or having informal risk processes can result in:

  • Unintentional risk acceptance.
  • Poor strategic planning of mitigating controls.
  • Confusion about how one project’s risk relates to another.

A formal, standardized risk assessment process leads to:

  • A defensible and repeatable risk assessment model.
  • Security controls designed to prevent risk associated with a particular project.
  • Informed risk decisions, rather than reliance on hunches.

Module 1: Establish the Risk Environment

The Purpose

  • Build the foundation needed for a security risk management program.
  • Define roles and responsibilities of the risk executive.
  • Define an information security risk tolerance level.

Key Benefits Achieved

  • Clearly defined roles and responsibilities.
  • Defined risk tolerance level.

Activities: Outputs:
1.1 Define the security executive function RACI chart.
  • Defined risk executive functions
1.2 Assess business context for security risk management.
  • Risk governance RACI chart
1.3 Standardize risk terminology assumptions.
  • Defined quantified risk tolerance and risk factor weightings
1.4 Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.
1.5 Decide on a custom risk factor weighting.
1.6 Finalize the risk tolerance level.
1.7 Begin threat and risk assessment.

Module 2: Conduct Threat and Risk Assessments

The Purpose

  • Determine when and how to conduct threat and risk assessments (TRAs).
  • Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

  • Developed process for how to conduct threat and risk assessments.
  • Deep risk analysis for one or two IT projects/initiatives.

Activities: Outputs:
2.1 Determine when to initiate a risk assessment.
2.2 Review appropriate data classification scheme.
2.3 Identify system elements and perform data discovery.
  • Define scope of system elements and data within assessment
2.4 Map data types to the elements.
  • Mapping of data to different system elements
2.5 Identify STRIDE threats and assess risk factors.
  • Threat identification and associated risk severity
2.6 Determine risk actions taking place and assign countermeasures.
  • Defined risk actions to take place in threat and risk assessment process
2.7 Calculate mitigated risk severity based on actions.
2.8 If necessary, revisit risk tolerance.
2.9 Document threat and risk assessment methodology.

Module 3: Continue to Conduct Threat and Risk Assessments

The Purpose

Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

Deep risk analysis for one or two IT projects/initiatives, as time permits.

Activities: Outputs:
3.1 Continue threat and risk assessment activities.
3.2 As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.
  • One to two threat and risk assessment activities performed
3.3 Review risk assessment results and compare to risk tolerance level.
  • Validation of the risk tolerance level

Module 4: Establish a Risk Register and Communicate Risk

The Purpose

  • Collect, analyze, and aggregate all individual risks into the security risk register.
  • Plan for the future of risk management.

Key Benefits Achieved

  • Established risk register to provide overview of the organizational aggregate risk profile.
  • Ability to communicate risk to other stakeholders as needed.

Activities: Outputs:
4.1 Begin building a risk register.
  • Risk register, with an inventory of risks and a macro view of the organization’s risk
4.2 Identify individual risks and threats that exist in the organization.
4.3 Decide risk responses, depending on the risk level as it relates to the risk tolerance.
4.4 If necessary, revisit risk tolerance.
4.5 Identify which stakeholders sign off on each risk.
4.6 Plan for the future of risk management.
  • Defined risk-based initiatives to complete
4.7 Determine how to present risk to senior management.
  • Plan for securing and managing the risk register

Workshop icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book a Workshop View Blueprint
GET HELP Contact Us
×
VL Methodology