Pitfall #9 of 100: Risk Management Strategy
Pitfall #9 – Risk Management Strategy – is the first pitfall in the second chapter of my eBook, Security Program Pitfalls and Prescription to Avoid Them. The entire second chapter focuses on risk management, so the next few “pitfall” blog posts will be focused on this topic.
A risk management strategy is necessary for organizations to implement and maintain an effective risk management program. Subsequently, an effective risk management program is necessary to help ensure that organizations can effectively manage risks to information assets, data, and overall business operations. Lacking a risk management strategy may lead to a false sense of protection about risks that could potentially impact the daily operations of an organization, or the recovery of operational capabilities.
Your organization should ensure that a comprehensive risk management strategy is developed. It should be implemented consistently across the organization. This is necessary to manage security risks to operations, information assets, individuals, and other organizations associated with the operation or use of your internal information systems. If applicable, the risk management strategy should also address privacy risks to individuals resulting from the collection, sharing, storing, transmission, use, and disposal of personally identifiable information (PII).
The risk management strategy should be reviewed and updated at least annually. More frequent reviews may be required to address changes to information systems, security control requirements, or changes to the overall organization. Risk management processes should be established, managed, and agreed upon by appropriate stakeholders. Your organization should ensure individual control owners associated with risk management activities agree to the defined risk management processes.
Operational priorities, constraints, risk tolerances, and assumptions should be established for your organization to support operational risk decisions. Then, the organization’s risk tolerance should be determined, documented, and communicated to all appropriate internal personnel.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.