Successful organizational risk management is not accomplished in a vacuum.
Without the benefit of executive support, success is fleeting and inconsistent. Without clear message, risk management programs flounder. Without shared vision and strategic priorities which align with corporate mission and goals, risk management programs fail without exception.
Involve Management
To build your program for success, you must first begin by involving executive management. Understanding their concerns and perceptions of organizational risk and risk tolerance can prove invaluable and serve as an impetus to better enable prioritization. Consider formally establishing a Governance Committee composed of key business leaders to maintain continued momentum, better determine programmatic direction and to ensure that proper consideration is given to critical organizational business unit requirements.
It is also recommended that a third-party organizational risk assessment addressing current organizational risk state and applicable legal, regulatory and standards-based compliance be performed. Given outside, qualified expert determination of the severity of known risks and the identification of unknown risks, including any compliance gaps, high risk vulnerabilities may begin to be remediated and the overall threat landscape better understood. With remediation efforts composing the majority of short-term strategy, the Governance Committee may thereafter begin to focus on both medium and long-term strategies.
Establish Responsibilities, Procedures
To then effectively execute upon determined strategy, organizational roles and responsibilities should be reviewed and developed to ensure that appropriate information security and risk management duties are assigned to all personnel with operational security and risk management roles further defined.
The Governance Committee should also require that separation of duties and principles of least privilege are adhered to with (perhaps dependent to some degree on the overall size of the organization) operational security and audit responsibilities assigned to dedicated staff which directly report to one or more leadership roles. Generally, it is this leadership which will have principle responsibility for guiding Governance Committee efforts and ensuring that committee determined strategic direction is successfully implemented.
While qualified personnel are, of course, a primary concern, documentation should not be undervalued. Developing supporting policy and documenting established procedures, security architecture, sensitive data flows as well as data inventory, ownership and retention details provides important reference and opportunity for periodic review and analysis.
A standardized methodology also better allows for consistency of process with a far greater likelihood of desired outcome. Additionally, when aligned with configuration and change management efforts, overall performance and service delivery levels may be recognizably strengthened. Further, training efficiencies and knowledge capture benefits may also be realized.
Continued Review
Given executive support and cohesive direction, it becomes important that security operations and risk management personnel monitor organizational risk on an ongoing basis while remaining cognizant of established programmatic goals and compliance requirements. Monitoring practices should, at a minimum, include daily log review, altering processes, quarterly internal and external vulnerability scanning, annual internal and external penetration testing, and internal and external risk assessment completed on at least an annual basis.
Continue reading this article:
Source : cmswire[dot]com
No comments:
Post a Comment