The Cyber Security Handbook Prepare For, Respond to and Recover From Cyber Attacks by Alan Calder;

Author:Alan Calder;
Language: eng
Format: epub
ISBN: 9781787782624
Publisher: IT Governance Ltd.

12.12 Comprehensive risk management programme

Identifying, assessing and responding to cyber and information security risks in a structured and methodical manner, as part of a wider risk management programme.

Key output: Comprehensive and structured risk assessments conducted on a regular basis.

For most CRF processes, conducting a risk assessment is a critical part of identifying the specific measures to implement. Performing a risk assessment is also a necessary step for effectively implementing the overall Framework, since it will help you make sensible and cost-effective decisions on what processes to consider in the first place, which is why it is a separate step in our eight-step approach to implementing cyber security (see step 6, chapter 23).

Even though risk assessments are conducted in many organisations, relatively few conduct them in a truly structured, methodical manner that ensures the results are justifiable, consistent across different areas of the business and repeatable.

Of course, any kind of risk assessment is a first step to efficient defences, and even an unstructured or intuitive approach is probably better than nothing at all. Whatever the approach, risk assessment is an effective way of working out exactly what threats and vulnerabilities can harm your organisation the most, and helping you decide which ones to address first.

However, conducting that risk assessment in a comprehensive, structured and more formal manner brings additional advantages. It helps ensure the process can be applied consistently by different people, which will help you appropriately prioritise risk treatments. A structured approach also makes it less likely you will overlook any risks.

A formal programme also makes it easier to plan risk assessment reviews, at regular intervals and when planning (or already having made) big changes, and make sure these are conducted as planned. Your programme might also consist of multiple risk assessments, perhaps divided up on a departmental basis, which can be grouped by review intervals, methodology, etc.

The actual approach or methodology your organisation chooses does not particularly matter, as long as it can ensure valid, repeatable and comparable results, and is an approach that suits your business needs. There are some principles your methodology should observe to ensure effective risk analysis and treatment, however, which are discussed in 12.12.1.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.