Without knowing how mature your organization is with respect to IT in general and information security in specific, it is impossible to give a list of best practices for risk management with any confidence whatsoever that they will be useful to you.
So while I can't give you a list of best practices, I can give a basic outline of what your security and risk management program should look like. Essentially, all you need is appropriate policies, procedures and technologies to allow you to provide a sufficient amount of security while enabling the business to achieve its goals. Pretty simple, but in no way does that imply it's easy.
Before starting, you need to understand the business that your company is engaged in. To break it down further, you need to understand the business sufficiently so you can speak intelligently with the executives and other employees about what and how they do things on a day-to-day basis. This will enable you to identify which assets, be they physical or electronic, are important to the company and need the most protection. Similarly, this will enable you to determine which assets are at the highest risk. Note that these are not necessarily the same ones.
It's also essential to understand what environment the business performs in. By that, I mean you need to understand what external considerations are affecting your organization. These may include compliance requirements such as PCI DSS, SOX or HIPAA/HITECH, other legislative requirements such as TARP, or special requirements due to lawsuits or other governmental mandates to name but a few.
Once you've figured out the above, the rest is pretty straightforward. You'll need to work with the heads of the various business units to iron out details of the policies, but essentially what you want is a comprehensive set of policies, procedures and technologies to support the aforementioned business requirements.
For more information:
This was first published in July 2009