Successful organizational risk management is not accomplished in a vacuum.
Without the benefit of executive support, success is fleeting and inconsistent. Without clear message, risk management programs flounder. Without shared vision and strategic priorities which align with corporate mission and goals, risk management programs fail without exception.
To build your program for success, you must first begin by involving executive management. Understanding their concerns and perceptions of organizational risk and risk tolerance can prove invaluable and serve as an impetus to better enable prioritization. Consider formally establishing a Governance Committee composed of key business leaders to maintain continued momentum, better determine programmatic direction and to ensure that proper consideration is given to critical organizational business unit requirements.
It is also recommended that a third-party organizational risk assessment addressing current organizational risk state and applicable legal, regulatory and standards-based compliance be performed. Given outside, qualified expert determination of the severity of known risks and the identification of unknown risks, including any compliance gaps, high risk vulnerabilities may begin to be remediated and the overall threat landscape better understood. With remediation efforts composing the majority of short-term strategy, the Governance Committee may thereafter begin to focus on both medium and long-term strategies.
Establish Responsibilities, Procedures
To then effectively execute upon determined strategy, organizational roles and responsibilities should be reviewed and developed to ensure that appropriate information security and risk management duties are assigned to all personnel with operational security and risk management roles further defined.
The Governance Committee should also require that separation of duties and principles of least privilege are adhered to with (perhaps dependent to some degree on the overall size of the organization) operational security and audit responsibilities assigned to dedicated staff which directly report to one or more leadership roles. Generally, it is this leadership which will have principle responsibility for guiding Governance Committee efforts and ensuring that committee determined strategic direction is successfully implemented.
While qualified personnel are, of course, a primary concern, documentation should not be undervalued. Developing supporting policy and documenting established procedures, security architecture, sensitive data flows as well as data inventory, ownership and retention details provides important reference and opportunity for periodic review and analysis.
A standardized methodology also better allows for consistency of process with a far greater likelihood of desired outcome. Additionally, when aligned with configuration and change management efforts, overall performance and service delivery levels may be recognizably strengthened. Further, training efficiencies and knowledge capture benefits may also be realized.
Given executive support and cohesive direction, it becomes important that security operations and risk management personnel monitor organizational risk on an ongoing basis while remaining cognizant of established programmatic goals and compliance requirements. Monitoring practices should, at a minimum, include daily log review, altering processes, quarterly internal and external vulnerability scanning, annual internal and external penetration testing, and internal and external risk assessment completed on at least an annual basis.
It is with this “hands-on” knowledge of identified threats and vulnerabilities that the Governance Committee may be afforded the opportunity to gain valuable insights that can serve as input to enable both warranted, immediate action and future changes in strategic direction as is most appropriate.
With such a structure, your organization can become better capable of managing risk. It all begins by realizing that it can not be done alone. Rather, the active and ongoing cooperative involvement of executive leadership yields results. Though the best practice management of technical controls should remain in the hands of technicians, it is with the support and collaboration of multi-functional business leaders that the effect of risk upon an organization is best understood. With such clarity, control strategies can more effectively be developed and risk managed.
Editor's Note: Need more advice on risk management? Peter's got you covered: Successful Risk Management Starts Small
About the Author
Peter Spier is Managing Director PCI and Risk Assurance at Fortrex Technologies based in Frederick, Maryland; President of the ISACA Western New York Chapter, and an adjunct instructor at the University of Maryland University College.