In this installment of the Risk Management Guide, Shon Harris describes the contents of a risk management policy and provides a sample policy template.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy.
The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:
The IRM policy provides the infrastructure for the organization's risk management processes and procedures, and should address all issues of information security, from personnel screening and the insider threat to physical security and firewalls. It should provide direction on how the IRM team relates information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.
The IRM policy can be written by outside security consultants, the CISO or the internal security team. The following is an example of a university IRM policy that can be used as a guideline to help in constructing a policy for your organization.
Intent
______________ Council has approved the introduction and embedding of risk management into the key controls and approval processes of all major business processes and functions of the University.
Risk is inherent in all academic, administrative and business activities, and every member of the University co
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
mmunity continuously manages risk. _____________ recognizes that the aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize and manage the risks involved in all University activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.
____________ acknowledges that risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls -- not to impose risk management as an extra requirement.
Policy objectives
The Risk Management Policy has been created to:
Policy statement
_____________ adopts the Risk Management approach and general methodology specified in the AS/NZS4360:1999 Risk Management Standard.
All ______________ business processes and functions will adopt a risk management approach consistent with the AS/NZS4360:1999 Risk Management Standard in their approval, review and control processes. The generic ____________ risk management approach and methodology for this purpose is as set out in the __________ Risk Management Guidelines, as approved by the Vice-Chancellor from time-to-time.
The responsible manager for each ___________ business process and function shall develop a form of risk management approach and associated documentation appropriate to their domain, which will be approved by the Vice-Chancellor upon recommendation from the Vice-President (Organizational Support).
Policy scope
This policy is applicable to all areas of the University, including:
Responsibilities
Overall
Everyone in the University has a role in the effective management of risk. All staff should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.
Governance
The Vice-Chancellor will be responsible on behalf of _________ Council for ensuring that a risk management system is established, implemented and maintained in accordance with this policy.
The Audit and Review Committee of _______________ Council will be responsible for oversight and assurance of the processes for the identification and assessment of the strategic-level risk environment.
Operational
The Vice-Chancellor has delegated responsibility for oversight and implementation of this policy to the Vice-President (Organizational Support).
The Senior Executive of the University will ensure risk management is embedded into the key controls and approval processes of all major business processes and functions. The Executive will be responsible to the Vice-President (Organizational Support) for the implementation of this policy within their respective areas of responsibility.
Heads of ______________ subsidiaries and controlled entities ¬and associated entities operating under the name or legal status of the University ¬will be responsible to their respective Boards for the implementation and maintenance of appropriate risk management processes; and will provide reports to the Vice-Chancellor as directed on the implementation of these risk management processes.
The Planning & Quality Unit will provide reports to the Vice-Chancellor, Vice-President (Organizational Support), and Audit and Review Committee on the status of risk management implementation and effectiveness across the University; and will periodically report on the identification and assessment of major, strategic risk levels.
Communication
This policy is to be made available to all ____________ staff, observed by all members of staff, both academic and administrative.
There will be an ongoing professional development and educational strategy to accompany the implementation of this policy.
Definitions
Definitions are taken from the Australian and New Zealand Risk Management Standard, with some modifications as appropriate to the particular ____________ context.
A complete listing of methodology definitions related to risk management at ____________ are included in the ________________ Risk Management Guidelines.
Key definitions are:
Risk Management Process
The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risk.
Exclusions
There are no exclusions. This policy applies to all areas of the University.
Related information
Further administrative information about this policy
Related policies/guidelines
Responsibilities and contacts
[TABLE]
The following person may be approached on a routine basis in relation to this policy:
[TABLE]
The following are more examples and guidelines on how to properly create your IRM policy to ensure that it meets your organizational needs.
Lesson 10 Risk Management Policy
Murdoch University Risk Management Policy
University of Sussex Risk Management Policy
University of Cambridge Risk Management Policy
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
