From there, think about what vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can consist of people employees, clients, third parties , processes or lack thereof, and technologies in place. A high-impact threat with high vulnerability becomes a high risk, for example. Contact us if you need assistance putting together a risk analysis like this.
Now that you have your risks ranked, decide whether you want to reduce, transfer, accept, or ignore each risk. Without an Incident Management and Disaster Recovery Plan, you put your organization at risk should any security incident or natural disaster occur. A good plan identifies common incidents and outlines what needs to be done—and by whom—in order to recover data and IT systems.
Once identified, find out what security measures high-risk third parties have in place or mandate necessary controls.
Be sure to consistently monitor and maintain an updated list of all third-party vendors. These controls will mitigate or eliminate risks. They can be technical e. Conduct frequent security awareness trainings to share your information security plan and how each employee plays a role in it. After all, new security measures and policies do nothing if employees working with the data are not educated on how to minimize risk.
Any time an element of your security program changes, your employees need to be aware. Practice shows that a multi-phased approach to creating an ISRM program is the most effective, as it will result in a more comprehensive program and simplify the entire information security risk management process by breaking it into several stages.
It will make the ISRM process more manageable and enable you to fix issues more easily. Here are five steps for building an effective information security risk management program:. I cannot stress the importance of this step enough. This will give you the foundation upon which you can build the ISRM program — and the support of the executives you need to implement it successfully.
In this stage, you need to define the functional capabilities and controls related to IT security and risk management e. If you choose to outsource implementation of ISRM capabilities to third parties, be sure consider the risks and ensure appropriate oversight by internal staff. Next, your organization needs to define the metrics to be used to evaluate the effectiveness of the ISRM strategy. Here are two best practices for this step:.
Finally, you should implement your ISRM strategy — and monitor its operation to identify issues or areas for improvement. Define a schedule or conditions for reviewing the program; major changes in your IT environment, data breaches in your industry and new cyberattack techniques are all valid reasons for you to look at your ISRM program with a critical eye and revise it as necessary. The NIST frameworks are a great resource. Any organization can turn to NIST guidelines to model their own risk management strategy and security baselines.
If your organization is looking for a thorough examination of how best practices can be applied through structured regulatory frameworks that also correspond to compliances, you would be well served by studying the NIST Risk Management Framework and the NIST Cybersecurity Framework :.
Figure 1. Next, you need to categorize IT systems by risk level. Estimate the adverse impact of a loss of confidentiality, integrity or availability of systems and the information they process, store or transmit. Based on the results of the previous step, you need to select and implement appropriate controls for each system.
During this step, you will make decisions about what baseline security controls you want to implement based on what category the security risks fall into. Next, it is important that the controls are implemented correctly and operate as expected to protect the systems.
The NIST Cybersecurity Framework is another framework that can help companies better manage and mitigate cybersecurity risk. The steps of this framework include the following:. Figure 2. Developing an ISRM program makes the risk management process more manageable and helps you protect your most critical assets against emerging cyberthreats. After that, a gap analysis determines the difference between the current state and the desired state and facilitates a security strategy aimed at achieving the desired state.
A roadmap can be produced to promote the development of the security program that will realize this strategy. This roadmap generally includes the people, the processes, the technology, and any other required resources. It is used to describe the approach to be followed and the steps that should be taken to execute the strategy. The next step is to effectively manage the security program to achieve the objectives and meet the expected results. The program in questions must be designed to provide an appropriate level of availability, integrity, and company information confidentiality.
The information security program must have an exact assignment of roles and responsibilities concerning security. It should be noted that information security awareness training is a critical element of the strategy because users are often the weakest security link. Therefore, they must know and understand the policies, standards, and procedures to adopt safe practices and be vigilant against various threats. Various laws and regulations now require an awareness and training program.
However, evidence suggests that employees, in many organizations, are still not sufficiently aware. Multiple studies have demonstrated that cyber security awareness training provides more effective control in improving overall security.
0コメント