In the this article I will expand on the Enterprise Risk Management Model and look at the process as applied to Security.
Whether it is ISO31000 or other risk models such as COSO and COBit
As readers of previous article will recall ISO31000 is the Australian Standard for Risk Management and the basis for security risk planning but there are other models that can contribute.
COSO is Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.
COBIT 4.1 is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the enterprises’ IT governance and control framework.
The risk management process applied to security involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
The dynamic and variable nature of human behaviour and culture should be considered throughout the risk management process.
Although the risk management process is often presented as sequential, in practice it is iterative.
The organization should define the purpose and scope of its risk management for business security. The internal and external context is the environment in which the organization seeks to define and achieve its objectives arising from security activities.
Defining risk criteria
The organization should specify the amount and type of security risk that it may or may not take relative to objectives. It should also define criteria to evaluate the significance of the risk and to support decision making processes. Risk criteria should reflect the organization’s values, objectives and resources and be consistent with policies and statements about risk management. The criteria should be defined taking into consideration the organization’s legal, regulatory, all other obligations, and stakeholder views.
Risk assessment and analysis
The purpose of risk identification is to find, recognize and describe risks associated with security that might help or prevent an organization achieving their objectives. Relevant, appropriate and up-to-date information is important in identifying risks.
Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. It should use the best available information supplemented by further enquiry as necessary.
The purpose of security risk analysis is to comprehend the nature of risk arising from security and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness.
Risk evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine the significance of risk.
Decisions should take account of the wider context and the actual and perceived consequences for internal and external stakeholders. Decisions should be made in accordance with legal, regulatory and other requirements.
The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels of the organization.
Risk treatment
The purpose of risk treatment is to select and implement options for addressing risk.
- Risk treatment involves an iterative process of:
- formulating and selecting risk treatment options;
- planning and implementing risk treatment;
- assessing the effectiveness of that treatment; deciding whether residual risk are acceptable; and
- if not acceptable, taking further treatment.
Selection of risk treatment options
Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in relation to the achievement of the objectives against costs, effort, or disadvantages of implementation.
Risk treatment can also introduce new risks that need to be managed.
Preparing and implementing risk treatment plans
The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented so that arrangements are understood by those involved and progress against the plan can be monitored. The treatment plan should clearly identify the order in which risk treatments should be implemented.
Monitoring and review
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibilities clearly defined.
Recording and reporting
The risk management process for security and its outcomes should be documented and reported through appropriate mechanisms.
Decisions concerning the creation, retention and handling of documented information should take into account, but not be limited to, their use, information sensitivity, and internal and external context.
Over the 2019 edition, each of these process steps will be looked at in detail to assist in building your risk management process for security.