Develop and Implement a Security Risk Management Program
With great risk management comes a great security program.
Book This Workshop
Without security risk management in place, organizations are unable to:
- Prioritize different security initiatives and controls.
- Communicate if they are currently secure.
- Articulate if they will be secure in the future.
- Provide the best level of security for their unique threat model.
By implementing Info-Tech’s security risk management model, organizations can:
- Take a dynamic view into how risk changes on a micro and macro scale.
- Clearly state whether they are below a defined risk tolerance level or above it.
- Build security strategies that are prioritized for the particular needs of the organization.
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book NowModule 1: Establish the Risk Environment
The Purpose
- Build the foundation needed for a security risk management program.
- Define roles and responsibilities of the risk executive.
- Define an information security risk tolerance level.
Key Benefits Achieved
- Clearly defined roles and responsibilities.
- Defined risk tolerance level.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Define the security executive function RACI chart. |
|
| 1.2 | Assess your organizational risk culture. |
|
| 1.3 | Perform a cursory assessment of management risk culture. |
|
| 1.4 | Standardize impact terminology. |
|
| 1.5 | Define frequency or impact thresholds outside of individual risk tolerance level. |
|
| 1.6 | Evaluate risk scenarios to determine your micro risk tolerance level. |
|
| 1.7 | Optimize the sensitivity of your screening test. |
|
| 1.8 | Decide on a custom weighting. |
|
| 1.9 | Finalize the risk tolerance level. |
|
| 1.10 | Define macro risk tolerance level. |
|
Module 2: Conduct Threat and Risk Assessments
The Purpose
- Determine when and how to conduct threat and risk assessments (TRAs).
- Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
- Developed process for how to conduct threat and risk assessments.
- Deep risk analysis for one or two IT projects/initiatives, as time permits.
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Determine when to initiate a risk assessment and which project/initiative will be assessed. |
|
| 2.2 | Review appropriate data classification scheme. |
|
| 2.3 | Identify system elements and perform data discovery. |
|
| 2.4 | Map data types to the elements. |
|
| 2.5 | Identify STRIDE threats and assign rankings. |
|
| 2.6 | Determine risk actions taking place and assign countermeasures. |
|
| 2.7 | Calculate mitigated risk severity based on actions. |
|
| 2.8 | Review results and form risk-based decisions. |
|
Module 3: Build a Security Risk Register
The Purpose
- Collect, analyze, and aggregate all individual risks into the security risk register.
- Plan for the future of risk management.
Key Benefits Achieved
- Established risk register to provide overview of the organizational macro risk level.
- Ability to communicate risk to other stakeholders as needed.
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Begin building a risk register. |
|
| 3.2 | Identify risks and threats that exist in the organization. |
|
| 3.3 | Identify which stakeholders sign off on each risk. |
|
| 3.4 | Review the aggregate risk level of the entire organization. |
|
| 3.5 | Act upon risk results, depending on the aggregate level as it relates to the risk tolerance. |
|
| 3.6 | If necessary, revisit risk tolerance. |
|
| 3.7 | Plan for the future of risk management. |
|