Manage Learn to apply best practices and optimize your operations.

Creating a security risk management plan format

Enterprises without a codified risk management plan are much more susceptible to threats. In this expert response from Ernie Hayden, learn how to create a risk management plan that covers all the bases.

Our enterprise is in the process of constructing a formal risk management plan for the first time. Do you know of any examples of plans, or could you give any advice on what we should include?
Click to enlarge.
Doubleclick to restore.

There are many sources of information that can help you establish a risk management process resulting in an enterprise...

security risk management plan. One of the first documents you should consider is NIST Special Publication 800-53 V3, "Recommended Security Controls for Federal Information Systems and Organizations". In chapter 3 of this standard, there is an excellent flow chart to help guide you through the key processes when developing your risk plan and framework. Figure 3-1 of the NIST SP 800-53 is included to the right.

Essentially, the starting point for this process is to include your "organizational inputs" and "architecture description" as foundational information to help you finally identify your assets and categorize them.

For example, organizational inputs could include the core business of the organization that should not be hindered, the business' key customers and applicable key laws with which the business must comply.

Examples of the architectural description are listed above in the diagram and include the enterprise mission/business processes, the system architectures and the boundaries of the information systems that need to be protected.

Click to enlarge.
Doubleclick to restore.

In another NIST Special Publication -- SP 800-39, DRAFT Managing Risk from Information Systems (.pdf) -- the reader is provided a general view of managing risk to the organization with security controls applied to information systems and infrastructure. A high-level view of the approach from this NIST document is offered in Figure 1 to the left.

A third document that may be helpful when developing a risk management plan format is a seminal article in Information Security magazine, by my colleague Cris Ewell, entitled "How to write a risk methodology that blends business, security needs" (June 2009). In this article, Chris notes the following key points to those trying to develop a risk management plan and process:

The risk process must be rooted in the principles of security and integrated into a security program that blends business needs, due care, current attack vectors as well as addressing the requirements of regulations and contractual requirements. Compliance with standards and regulations help to show due care, but should not be the driving force in a security program. It is not possible to address all of the threats and vulnerabilities. Instead of prescriptive controls, reduction of residual risk should be the driving force for the direction of development, assessment, and improvement of information security practices within the organization.

In Chris' article, he continues to describe how his risk management framework is built upon three categories and 13 elements, which include the following:

  1. Strategic Category
    1. Organization and authority
  2. Tactical Category
    1. Policy
    2. Audit and compliance
    3. Risk management
    4. Privacy
    5. Incident Management
    6. Education and awareness
  3. Operational Category
    1. Operational management
    2. technical security and access control
    3. Monitoring, measurement and reporting
    4. Physical and environmental security
    5. Asset identification and classification
    6. Account management and outsourcing
  1. You may want to scour the Internet for other potential risk management plans. However, the NIST documents and Ewell's article mentioned above are all excellent resources, and free.
This was last published in May 2010

Dig Deeper on Risk assessments, metrics and frameworks