Information security risk management is one of the foundational practice for any ISMS or information security program. An effective framework facilitates information security risk management throughout it's life-cycle.
Security Risk Management
The risk management process describes how the risk is assessed, analyzed, treated, implemented and monitored to bring risk exposure to a level that is acceptable to the organization. It is important to define key performance measures for the risk management practice to understand it's effectiveness.
Risk Management Process
Technology assets belongs to different risk profiles depending on their exposure to internet, their operating system, vulnerabilities and threats. These, in totality, represent a risk profile for the asset under evaluation. Each of these risks may be treated using a series of controls which will reduce it's risk level. The resulting risk posture may be further improved based on treatment of risks on other high-risk assets. Evidently, this is an ongoing risk management process, focusing always on the most riskier asset.
Tech. Risk Identification Tool
The Key Performance Indicators (KPI) defined in this document are meant to measure the risk management process of an organization. It is important to understand how quickly an organization is able to identify risks, mitigate them, how much of the risks is accepted or tolerated, etc. A trend-line of these measures will help to set the organization's risk tolerance levels based on actual data.
Key Performance Indicators
Every organization has to make a determination on the common grounds for its risk management, which is pretty much the same for information security risks as well. The policy will define the risk rating levels, thresholds for each risk levels, how risks are prioritized, methods of treatment, risk ownership, risk appetite and tolerance.
Risk Management Policy
The risk register is a repository for all risks in a predefined format, so that all participants in the risk management practices define and understand the risks in the same way. Risk registers may be used to capture strategic, operational or technical risks which may require different levels of access control. Care must be taken to ensure that people are able to see the risks to which they have authorization.
The technology risk identification tool included in the package comes with a user guide, to further explain the concepts used.
Risk Assessment Procedure
Risk assessment is an ongoing process. A complete risk assessment must be performed when the practice starts off. Subsequently, every change must be assessed for security risk, regardless of its change. A risk assessment must be performed following external context changes, such as legal, regulatory or contractual changes or major internal organization changes.