Information Technology Reference
In-Depth Information
12.13
risk Management Framework
Any business endeavor includes risk, and the organization must address all risks.
Addressing risk is not necessarily doing something about the risk; however, address-
ing risk does mean identifying, acknowledging, and formally stating the organiza-
tional position on that risk. The risk management framework is as follows:
n
n
n
−
−
−
−
−
Identify risk
Quantify risk
Address risk via:
Accept, e.g., $ of other options > $ of potential loss
Ignore, i.e., implicit acceptance
Share, e.g., interorganization cooperative (co-op)
Transfer, e.g., E-risk insurance
Mitigate, e.g., invest in security services and mechanisms
12.14 Security Management program
Framework (SMp Framework)
Organizations concerned with security at all should identify those driving forces
behind the need for security. The root drivers will be to manage business risk.
Drivers directly affecting the form and content of a security management program
(SMP) may include legislation, regulation, and business need (e.g., maintain opera-
tional SLAs of 99.9 percent uptime). These drivers influence both the form and
content of the SMP. First, start by defining an SMP framework. The SMP frame-
work will consist of security categories and security elements within each category.
Which categories and elements are necessary is organization specific. If the orga-
nization is health care oriented, then HIPAA will have an influence on the SMP
framework. If the organization is a publicly traded company in the United States,
then Sarbanes-Oxley will have an influence on the SMP framework.
A good practice is to choose an industry standard on which to base the SMP
framework, and then add, delete, or modify categories and elements to suit the
needs of the organization. One industry standard is ISO 27002. Another is NIST
SP 800-53, and there are many others. Appendix D
contains a sample SMP frame-
work based on NIST SP 800-53.
Whichever SMP framework you choose provides a basis on which the entire
organization looks at security. Any security-related task is done within the context
of the SMP framework. The SMP framework provides a consistent and comprehen-
sive view of security. It provides an outline for templates, tools, and guidelines for
security planning, implementation, assessment, gap analysis, remediation analy-
Formerly ISO 17799.
