In this installment of the Risk Management Guide, Shon Harris describes the roles and responsibilities of an information risk management team.
In the rest of the series we will be walking through the different steps as they are
Each organization is different in its size, security posture requirements and security budget. One organization may have an individual responsible for IRM or a team that works in a coordinated manner. Regardless, the overall goal of IRM is to ensure that the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:
- An established risk acceptance level provided by senior management
- Documented risk assessment, and control processes and procedures
- Procedures for identifying and mitigating risks
- Appropriate resource and fund allocation from senior management
- Contingency plans where assessments indicate that they are necessary
- Security-awareness training for all staff members associated with information assets
- Ability to establish improvement (or risk mitigation) teams in specific areas when necessary
- Mapping of legal and regulation compliancy requirements to control and implementation requirements
- Development of metrics and performance indicators to be able to measure and manage various types of risks
- Ability to identify and assess new risks as the environment and company changes
- Integration of IRM and the organization's change control process to ensure that changes do not introduce new vulnerabilities
The IRM team, in most cases, is not made up of employees with the dedicated task of risk management. It consists of people who already have a full-time job in the company and are now tasked with something else. Thus, senior management support is necessary so that proper resource allocation can take place.
The IRM team consists of individuals from different business units throughout the organization. The team needs to understand the company and associated risks from different perspectives to ensure that nothing is accidentally missed. For example, if all of the team members are from IT then the IRM team will only focus on IT risks.
The team members also need to be at the "right level" within the organization. This usually means business unit managers because they understand issues at a higher level compared to a worker bee who lacks a holistic view of the business unit and cannot understand the full ramifications of certain risks. Many times managers will send a lower end worker in their place for IRM meetings because of busy schedules or a lack of interest. This usually degrades the IRM team's quality of insight and performance.
Of course, all teams need a leader, and IRM is no different. One individual should be singled out to run this rodeo and, in larger organizations, this person should be spending 50-to-70% of their time in this role. The IRM team leader is a manager who acts as the liaison between the team and executive management. This person is responsible for keeping the executive management, and possibly the board members, up to date on the company's current risk level. While the team leader is responsible for asking for funds and garnering support for new risk mitigation initiatives, management needs to dedicate funds for this person to have the necessary training and risk analysis tools to ensure that it is a successful endeavor. Many larger organizations are creating a role called the Risk Officer. This person is responsible for understanding a large range of risks to the company -- not just information security risks -- and advising executive management on business decisions.
The IRM team meets at least quarterly. The team reviews internal and external audit results, results from on-going risk and vulnerability assessments, and discusses upcoming changes that the company faces. The company should also set up a communication structure to ensure that the IRM team is aware of newly recognized risks. This means that when people within different departments recognize new vulnerabilities or risks, they know who to report them to. The IRM team members should be highly visible and accessible to other employees. The IRM policy and IRM team member contact information should be available via the company intranet.
RISK MANAGEMENT GUIDE
Introduction: Understanding risk
An overview of the risk management process
How to define an acceptable level of risk
How to write an information risk management policy
How to implement an effective risk management team
Information risk management: Defining the scope, methodology and tools
How to conduct a risk analysis
How to deal with risk
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
This was first published in April 2006