Without knowing how mature your organization is with respect to IT in general and information security in specific, it is impossible to give a list of best practices for risk management with any confidence whatsoever that they will be useful to you.
So while I can't give you a list of best practices, I can give a basic outline of what your security and risk management program should look like. Essentially, all you need is appropriate policies, procedures and technologies to allow you to provide a sufficient amount of security while enabling the business to achieve its goals. Pretty simple, but in no way does that imply it's easy.
Before starting, you need to understand the business that your company is engaged in. To break it down further, you need to understand the business sufficiently so you can speak intelligently with the executives and other employees about what and how they do things on a day-to-day basis. This will enable you to identify which assets, be they physical or electronic, are important to the company and need the most protection. Similarly, this will enable you to determine which assets are at the highest risk. Note that these are not necessarily the same ones.
It's also essential to understand what environment the business performs in. By that, I mean you need to understand what external considerations are affecting your organization. These may include compliance requirements such as PCI DSS, SOX or HIPAA/HITECH, other legislative requirements such as TARP, or special requirements due to lawsuits or other governmental mandates to name but a few.
Once you've figured out the above, the rest is pretty straightforward. You'll need to work with the heads of the various business units to iron out details of the policies, but essentially what you want is a comprehensive set of policies, procedures and technologies to support the aforementioned business requirements.
For more information:
- Read more about how to manage SaaS risk.
- Learn about choosing a general security risk assessment.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from David Mortman
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements. Continue Reading
When disaster strikes, will your enterprise be ready? In this security management expert response, David Mortman explains what questions to ask ... Continue Reading
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading