Develop and Implement a Security Risk Management Program
With great risk management comes a great security program.
Onsite Workshop
Without security risk management in place, organizations are unable to:
- Prioritize different security initiatives and controls.
- Communicate if they are currently secure.
- Articulate if they will be secure in the future.
- Provide the best level of security for their unique threat model.
By implementing Info-Tech’s security risk management model, organizations can:
- Take a dynamic view into how risk changes on a micro and macro scale.
- Clearly state whether they are below a defined risk tolerance level or above it.
- Build security strategies that are prioritized for the particular needs of the organization.
Module 1: Establish the Risk Environment
The Purpose
- Build the foundation needed for a security risk management program.
- Define roles and responsibilities of the risk executive.
- Define an information security risk tolerance level.
Key Benefits Achieved
- Clearly defined roles and responsibilities.
- Defined risk tolerance level.
Activities: | Outputs: | |
---|---|---|
1.1 | Define the security executive function RACI chart. |
|
1.2 | Assess your organizational risk culture. |
|
1.3 | Perform a cursory assessment of management risk culture. |
|
1.4 | Standardize impact terminology. |
|
1.5 | Define frequency or impact thresholds outside of individual risk tolerance level. |
|
1.6 | Evaluate risk scenarios to determine your micro risk tolerance level. |
|
1.7 | Optimize the sensitivity of your screening test. |
|
1.8 | Decide on a custom weighting. |
|
1.9 | Finalize the risk tolerance level. |
|
1.10 | Define macro risk tolerance level. |
|
Module 2: Conduct Threat and Risk Assessments
The Purpose
- Determine when and how to conduct threat and risk assessments (TRAs).
- Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
- Developed process for how to conduct threat and risk assessments.
- Deep risk analysis for one or two IT projects/initiatives, as time permits.
Activities: | Outputs: | |
---|---|---|
2.1 | Determine when to initiate a risk assessment and which project/initiative will be assessed. |
|
2.2 | Review appropriate data classification scheme. |
|
2.3 | Identify system elements and perform data discovery. |
|
2.4 | Map data types to the elements. |
|
2.5 | Identify STRIDE threats and assign rankings. |
|
2.6 | Determine risk actions taking place and assign countermeasures. |
|
2.7 | Calculate mitigated risk severity based on actions. |
|
2.8 | Review results and form risk-based decisions. |
|
Module 3: Build a Security Risk Register
The Purpose
- Collect, analyze, and aggregate all individual risks into the security risk register.
- Plan for the future of risk management.
Key Benefits Achieved
- Established risk register to provide overview of the organizational macro risk level.
- Ability to communicate risk to other stakeholders as needed.
Activities: | Outputs: | |
---|---|---|
3.1 | Begin building a risk register. |
|
3.2 | Identify risks and threats that exist in the organization. |
|
3.3 | Identify which stakeholders sign off on each risk. |
|
3.4 | Review the aggregate risk level of the entire organization. |
|
3.5 | Act upon risk results, depending on the aggregate level as it relates to the risk tolerance. |
|
3.6 | If necessary, revisit risk tolerance. |
|
3.7 | Plan for the future of risk management. |
|