Define the Information Security Risk Tolerance Level
Your best guess at what’s needed doesn’t cut it anymore.
RETIRED CONTENT
Please note that the content on this page is retired. This content is not maintained and may contain information or links that are out of date.Making risk decisions without a clearly defined risk tolerance can result in:
- Inadvertent acceptance of dangerous risks
- Spending security funds on ineffective controls
- Ambiguous security risk responsibilities
Clear understanding of risk tolerance leads to:
- Informed risk decisions
- Efficient and effective rationale for security spend
- Clearly assigned risk functions
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Module 1: Assess the Risk Culture and Responsibilities
The Purpose
- Discuss the general business requirements and obligations towards risk.
- Understand and agree on risk responsibilities and duties.
- Define and discuss security assumptions for frequency/impact.
Key Benefits Achieved
- Clear understanding of risk language and responsibilities across the organization
- Defined risk statement and IT mandate
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Define the security executive function RACI chart. |
|
| 1.2 | Assess employee and management risk culture. |
|
| 1.3 | Standardize impact and risk assumption terminology. |
|
| 1.4 | Define risk requirements and risk frequency/impact thresholds. |
|
Module 2: Define Risk Tolerance
The Purpose
- Use risk definitions and understanding to define micro risk tolerance.
- Define and discuss organizational risk tolerance for collective macro risk, and high-level strategy for macro risk management.
Key Benefits Achieved
- Quantified definition for micro risk tolerance
- Quantified methodology for risk impact analysis
- Understanding and management method for macro risk
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Perform risk scenario assessment. |
|
| 2.2 | Define and discuss organizational micro risk tolerance. |
|
| 2.3 | Define and discuss macro risk tolerance and macro risk management methodology. |
|