Without knowing how mature your organization is with respect to IT in general and information security in specific,...
it is impossible to give a list of best practices for risk management with any confidence whatsoever that they will be useful to you.
So while I can't give you a list of best practices, I can give a basic outline of what your security and risk management program should look like. Essentially, all you need is appropriate policies, procedures and technologies to allow you to provide a sufficient amount of security while enabling the business to achieve its goals. Pretty simple, but in no way does that imply it's easy.
Before starting, you need to understand the business that your company is engaged in. To break it down further, you need to understand the business sufficiently so you can speak intelligently with the executives and other employees about what and how they do things on a day-to-day basis. This will enable you to identify which assets, be they physical or electronic, are important to the company and need the most protection. Similarly, this will enable you to determine which assets are at the highest risk. Note that these are not necessarily the same ones.
It's also essential to understand what environment the business performs in. By that, I mean you need to understand what external considerations are affecting your organization. These may include compliance requirements such as PCI DSS, SOX or HIPAA/HITECH, other legislative requirements such as TARP, or special requirements due to lawsuits or other governmental mandates to name but a few.
Once you've figured out the above, the rest is pretty straightforward. You'll need to work with the heads of the various business units to iron out details of the policies, but essentially what you want is a comprehensive set of policies, procedures and technologies to support the aforementioned business requirements.
For more information:
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.