Q

How to perform an enterprise risk analysis

Some IT security best practices might not be right for your enterprise. In this expert response, learn how to perform an enterprise risk assessment and analysis to determine which of your resources are at risk and how to protect them.

Concerning David Mortman's tip " Information security management hype: Debunking best practices," I have always wondered where the "good" and "better" practices are as best implies some type of continuum or scaling. As a practitioner, I usually can afford "good enough." Is there some sort of analysis process I can do to determine what is or isn't a "good enough" practice for my enterprise?

For starters, forget about good practices or best practices. As you've already said, what you can manage is "good

enough." So while knowing what your peers are doing is worthwhile, it doesn't necessarily aid your decision-making process. After all, as the old adage goes: If everyone else was jumping off a cliff, would you do the same thing?

To answer the question more specifically, there is, in fact, an analytical process you can perform to determine what is good enough for your enterprise. That process is called risk analysis. There are some great frameworks out there, but my favorite is Factor Analysis of Information Risk, or FAIR. In the end, though, the assessment doesn't have to be fancy, and you can easily build your own decision matrix using Hubbard-esqe estimations.

Regardless of your technique or process, you need to find out what resources are important to your enterprise. Start by talking with your CIO, and then interview the heads of the other business units as well. Find out what systems and data they care about and where they think that data is. This will give you a prioritized list to begin the assessment. If you don't have this list of prioritized resources, it doesn't matter if you use risk management or best practices or any other technique, in the end, it will all just be guesswork.

For more information:

  • Learn how to choose a general security risk assessment.
  • Failure mode and effects analysis: Process and system risk assessment. Check out this template.
  • This was first published in September 2009

    Dig deeper on Enterprise Risk Management: Metrics and Assessments

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close