Essential Guide

How to hone an effective vulnerability management program

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

How to use the RACI matrix for a security risk assessment

Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.

Is it worthwhile to use the RACI matrix to assess human-related risks in an information security risk assessment?

Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

The RACI matrix (also known as a responsibility assignment matrix) is definitely worthwhile to utilize in any risk assessment, including the evaluation of human-related risks. It was designed to determine roles and relationships within any type of project or process, which allows for an incredible amount of flexibility. A RACI matrix can easily be used as a management tool because it provides the ability to assign subtasks of the risk assessment to various information security team members.

For those who are not familiar with the term "RACI," it is derived from the roles defined in the matrix: responsible, accountable, consulted and informed. An example RACI matrix for assessing a human-related risk for the category "password policy" would look like this:

Category

Responsible

Accountable

Consulted

Informed

Password Policy

Employees

CISO

Executives, Legal

Auditors

In the example, the responsibilities for the password policy become clear when put into the RACI matrix. The employees represent the risk for the password policy category. The CISO is responsible for mitigating that risk while also gathering input from other executives and legal staff. Auditors must be kept appraised of progress made to mitigate the risk. This process repeats with the next category of risk and continues until all of the potential risks have been identified, with the final product being a concise, easy-to-understand chart representing the human risks and mitigations in place.

This was first published in January 2014

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

How to hone an effective vulnerability management program

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close