Lack of risk assessments or informal risk processes can result in:
Unintentional risk acceptance.
Poor strategic planning of mitigating controls.
Confusion about how one project’s risk relates to another.
A formal, standardized risk assessment process leads to:
A defensible and repeatable risk assessment model.
Security controls designed to prevent risk associated with a particular project.
Informed risk decisions, rather than reliance on hunches.
Module 1: Establish the Risk Environment
The Purpose
Build the foundation needed for a security risk management program.
Define roles and responsibilities of the risk executive.
Define an information security risk tolerance level.
Key Benefits Achieved
Clearly defined roles and responsibilities.
Defined risk tolerance level.
Activities:
Outputs:
1.1
Define the security executive function RACI chart.
Defined roles and responsibilities for the risk executive
1.2
Assess your organizational risk culture.
1.3
Perform a cursory assessment of management risk culture.
1.4
Standardize impact terminology.
Standardized impact terminology to be used throughout the risk model
1.5
Define frequency or impact thresholds outside of individual risk tolerance level.
Defined frequency and impact thresholds to be used throughout the risk model
1.6
Evaluate risk scenarios to determine risk tolerance level.
1.7
Optimize the sensitivity of your screening test.
1.8
Decide on a custom weighting.
1.9
Finalize the risk tolerance level.
Defined risk tolerance level
Module 2: Conduct Threat and Risk Assessments
The Purpose
Determine when and how to conduct threat and risk assessments (TRAs).
Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
Developed process for how to conduct threat and risk assessments.
Deep risk analysis for one or two IT projects/initiatives, as time permits.
Activities:
Outputs:
2.1
Determine when to initiate a risk assessment and which project/initiative will be assessed.
Established criteria for when to conduct risk assessments
2.2
Review appropriate data classification scheme.
2.3
Identify system elements and perform data discovery.
Defined scope of the threat and risk assessment
2.4
Map data types to the elements.
2.5
Identify STRIDE threats and assign rankings.
Identified threats to the particular project and defined current severity level
2.6
Determine risk actions taking place and assign countermeasures.
Defined actions to review and/or reduce risk
2.7
Calculate mitigated risk severity based on actions.
Defined mitigated risk severity level
2.8
Review results and form risk-based decisions.
Final decisions made based upon the final risk assessment results
Module 3: Build a Security Risk Register
The Purpose
Collect, analyze, and aggregate all individual risks into the security risk register.
Plan for the future of risk management.
Key Benefits Achieved
Established risk register to provide overview of the organizational aggregate risk profile.
Ability to communicate risk to other stakeholders as needed.
Activities:
Outputs:
3.1
Begin building a risk register.
Established risk register document.
3.2
Identify risks and threats that exist in the organization.
Identification of risks beyond that of the TRAs alone.
3.3
Identify which stakeholders sign off on each risk.
3.4
Review the aggregate risk level of the entire organization.
Understanding of the aggregate level of risk.
3.5
Act upon risk results, depending on the aggregate level as it relates to the risk tolerance.
3.6
If necessary, revisit risk tolerance.
3.7
Plan for the future of risk management.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book Your Workshop