Q

Risk management strategy for an information technology solution provider

Looking to create an enterprise risk management strategy for an information technology solution provider? Security management expert David Mortman weighs in.

My company is an IT solution provider with 70 IT people worldwide. What best practices should I be aware of as I define a security and risk management strategy for my organization?

Without knowing how mature your organization is with respect to IT in general and information security in specific, it is impossible to give a list of best practices for risk management with any confidence whatsoever that they will be useful to you.

So while I can't give you a list of best practices, I can give a basic outline of what your security and risk management program should look like. Essentially, all you need is appropriate policies, procedures and technologies to allow you to provide a sufficient amount of security while enabling the business to achieve its goals. Pretty simple, but in no way does that imply it's easy.

Before starting, you need to understand the business that your company is engaged in. To break it down further, you need to understand the business sufficiently so you can speak intelligently with the executives and other employees about what and how they do things on a day-to-day basis. This will enable you to identify which assets, be they physical or electronic, are important to the company and need the most protection. Similarly, this will enable you to determine which assets are at the highest risk. Note that these are not necessarily the same ones.

It's also essential to understand what environment the business performs in. By that, I mean you need to understand what external considerations are affecting your organization. These may include compliance requirements such as PCI DSS, SOX or HIPAA/HITECH, other legislative requirements such as TARP, or special requirements due to lawsuits or other governmental mandates to name but a few.

Once you've figured out the above, the rest is pretty straightforward. You'll need to work with the heads of the various business units to iron out details of the policies, but essentially what you want is a comprehensive set of policies, procedures and technologies to support the aforementioned business requirements.

For more information:

This was first published in July 2009

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close