- Most organizations make risk decisions informally, based on their understanding of corporate culture or what they think is best.
- The level to which security programs need to mature is based on what the security professional believes is best.
- Information security risk is both a specific instance or project concern and an aggregate organizational concern.
- Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.
- Don’t think about threats or vulnerabilities. Threats or vulnerabilities limit your ability to think about a risk tolerance level that can be universally applied. Instead, think about business impact and frequency. These factors can be defensibly quantified and provide critical insight into threat severity.
- All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.
- Consider all impacts. Think about more than just informational impact; consider functional and recoverability impact also.
Impact and Result
- Define an executive risk function.
- Determine organizational risk culture.
- Create a defensible risk tolerance level for your organization.
- Leverage quantified risk tolerance level of broader risk management activities.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should define an information security risk tolerance level and understand Info-Tech’s methodology to support you in completing this project.
1. Define the risk executive function
Define our risk-framing responsibilities and accountabilities.
2. Assess the risk culture
Perform a lightweight assessment of management and employee risk culture.
3. Define risk assumptions
Define the organizational understanding of risk, assess risk scenarios, define your overall risk tolerance, and manage your macro risk exposure.
This guided implementation is a seven call advisory process.
Guided Implementation #1 - Define the risk executive function
Call #1 - Review project steps and deliverables and confirm project methodology appropriateness.
Call #2 - Customize and complete the risk executive RACI chart.
Guided Implementation #2 - Assess the risk culture
Call #1 - Assess your organizational risk culture.
Call #2 - Perform a cursory assessment of management risk culture.
Guided Implementation #3 - Define risk assumptions
Call #1 - Evaluate risk scenarios.
Call #2 - Optimize the sensitivity of your screening test.
Call #3 - Define macro risk tolerance level.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess the Risk Culture and Responsibilities
- Discuss the general business requirements and obligations towards risk.
- Understand and agree on risk responsibilities and duties.
- Define and discuss security assumptions for frequency/impact.
Key Benefits Achieved
- Clear understanding of risk language and responsibilities across the organization
- Defined risk statement and IT mandate
Define the security executive function RACI chart.
- Defined IT mandate
Assess employee and management risk culture.
- IT and Business Leadership Alignment Report
Standardize impact and risk assumption terminology.
- Information Security Risk Statement
Define risk requirements and risk frequency/impact thresholds.
- Business Leadership Communication and Reporting Plan
Module 2: Define Risk Tolerance
- Use risk definitions and understanding to define micro risk tolerance.
- Define and discuss organizational risk tolerance for collective macro risk, and high-level strategy for macro risk management.
Key Benefits Achieved
- Quantified definition for micro risk tolerance
- Quantified methodology for risk impact analysis
- Understanding and management method for macro risk
Perform risk scenario assessment.
- Risk Tolerance Determination Tool
Define and discuss organizational micro risk tolerance.
Define and discuss macro risk tolerance and macro risk management methodology.