|Click to enlarge.
Doubleclick to restore.
There are many sources of information that can help you establish a risk management process resulting in an enterprise...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
security risk management plan. One of the first documents you should consider is NIST Special Publication 800-53 V3, "Recommended Security Controls for Federal Information Systems and Organizations". In chapter 3 of this standard, there is an excellent flow chart to help guide you through the key processes when developing your risk plan and framework. Figure 3-1 of the NIST SP 800-53 is included to the right.
Essentially, the starting point for this process is to include your "organizational inputs" and "architecture description" as foundational information to help you finally identify your assets and categorize them.
For example, organizational inputs could include the core business of the organization that should not be hindered, the business' key customers and applicable key laws with which the business must comply.
Examples of the architectural description are listed above in the diagram and include the enterprise mission/business processes, the system architectures and the boundaries of the information systems that need to be protected.
|Click to enlarge.
Doubleclick to restore.
In another NIST Special Publication -- SP 800-39, DRAFT Managing Risk from Information Systems (.pdf) -- the reader is provided a general view of managing risk to the organization with security controls applied to information systems and infrastructure. A high-level view of the approach from this NIST document is offered in Figure 1 to the left.
A third document that may be helpful when developing a risk management plan format is a seminal article in Information Security magazine, by my colleague Cris Ewell, entitled "How to write a risk methodology that blends business, security needs" (June 2009). In this article, Chris notes the following key points to those trying to develop a risk management plan and process:
The risk process must be rooted in the principles of security and integrated into a security program that blends business needs, due care, current attack vectors as well as addressing the requirements of regulations and contractual requirements. Compliance with standards and regulations help to show due care, but should not be the driving force in a security program. It is not possible to address all of the threats and vulnerabilities. Instead of prescriptive controls, reduction of residual risk should be the driving force for the direction of development, assessment, and improvement of information security practices within the organization.
In Chris' article, he continues to describe how his risk management framework is built upon three categories and 13 elements, which include the following:
- Strategic Category
- Organization and authority
- Tactical Category
- Audit and compliance
- Risk management
- Incident Management
- Education and awareness
- Operational Category
- Operational management
- technical security and access control
- Monitoring, measurement and reporting
- Physical and environmental security
- Asset identification and classification
- Account management and outsourcing
- You may want to scour the Internet for other potential risk management plans. However, the NIST documents and Ewell's article mentioned above are all excellent resources, and free.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Ernie Hayden
In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video.continue reading
Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities.continue reading
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.