Information Security Risk Management

Information-gathering aided by formal practices and technologies

Risk Management Purpose

Collective Risk Management

Planning

Analysis

Recommendation

Monitoring

A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.

A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.

A security control objective cannot be met through a technical change, so the company changes as method of operation.

A security control objective cannot be met through a technical change, so the Chief Information Officer (CIO) decides to sign off on the risk.

To define the level or risk using probability and likelihood

To register the risk with the required regulatory agencies

To identify the risk, the risk owner, and the risk measures

To formally log the type of risk mitigation strategy the organization is using

researching, reviewing, and acting on

identifying, analyzing, and responding to

reviewing, monitoring, and managing

identifying, reviewing, and avoiding

analyzing, changing, and suppressing

Risk Monitoring and Control

Risk Identification

Risk Avoidance

Risk Response Planning

Risk Management Planning

A. Mitigation

B. Deflection

C. Avoidance

D. Transfer