Table of Contents Link to heading
Risk Management Definition Link to heading
the process of identifying risk, assessing risk, and taking steps to reduce
risk to an acceptable level.
The risk management approach determines the processes, techniques, tools, and team roles and responsibilities for a business.
You identify what is important to the business, and you use this context to risk assess what can go wrong that may result in negative outcomes that could disrupt business operations.
Why do we need a Risk Management System?
Because it will put into place the systems required to provide Information Security.
In this technology-focused world, a business that does not have Information Security and the support of the executive leadership can be in real trouble. Information Security is no longer just an IT issue, there must be awareness at the board level and a willingness to support it.
Information Security is designed to protect the business’s information assets by applying protection using the CIA Triad tenets. It is important, however, to design Information Security with the needs of the business clearly in mind and not to make the security controls too strict as to restrict operations.
As discussed above, it is vital to get the executive leadership on board. The following suggestions help develop a business plan that will satisfy management:
- A plan that covers both the needs of the business and the needs of security
- Justify the need to invest time and money into the plan
- Define the goals of the security plan with the CIA Triad in mind
- The expected return on investment
Business Alignment Link to heading
Once a business decides to implement an Information Security plan, it must decide how it will fit into the organisation. The Information Security plan is there to assist the business to function, so it must align with the core goals and objectives of the business.
Security Balance
An important factor to remember when developing a security plan is the reputation of security professionals as being too strict. This can lead to the concept of “shadow IT” where staff go outside of the business’s security framework to make their job easier or more efficient.
Risk Management Systems Link to heading
With balance in mind, a good implementation of a security system will allow for usability while keeping the system secure. Keep in mind that the addition of a new security control will usually impact usability. Lessening the impact of a security control on usability could lead to a security breach.
External, third-party factors also need to be considered. Who needs access to your systems such as Business Partners, Suppliers and Customers. This needs to be considered when implementing security controls.
There are many ways to implement Information Security but a recommended method is to use a security framework. When it comes to cybersecurity, a framework serves as a system of standards, guidelines, and best practices to manage risks that arise.
There are many frameworks available to use in information security:
- ISO/IEC 27001
- Center for Internet Security
- The NIST Cybersecurity Framework