risk management principles

Risk Management Techniques

February 14, 2014 by Bruce Brown Leave a Comment

Organizations with poor planning or a given budget spend more time making excuses than implementing risk management techniques.

Risk management techniques can be found in ISO 31000:2009, NIST SP 800-39, ISACA Risk IT Frame work and Canada’s ITSG-33 (see more in risk management principles).

The techniques of risk management center around looking at overall organizational security risk and asking the question, “what happens if a threat causes the organization to lose its capability?” “Are we prepared?”

All the standards listed above actually have the same risk management techniques, but the trick is to actually implement the risk management. You would think that is a no brainer but unfortunately, organizations KNOW what they are supposed to do for due diligence but spend time on making Risk Management Excuses of why they won’t do it rather than how the can spend time or money on risk management techniques.

Kudos to the organization that IMPLEMENTS REAL Risk management techniques with continuous monitoring within a realistic budget and not just pass the risk to someone else, or ignore the risk and make excuses with things go wrong. As a risk management foot soldier, I KNOW how hard this can be.

Risk Management Principles

February 7, 2014 by Bruce Brown Leave a Comment

Risk management principles can be found in ISO 31000:2009, Risk management – Principles and guidelines and its companion guides ISO Guide 73:2009, Risk management – Vocabulary with has a collection of definitions relevant to the management of risk. ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk.

Other documents with risk management principles include NIST SP 800-39, and NIST SP 800-30.

The principle of risk management center around looking at corporate risk. What is the risk to the bottom-line of the organization? Whether the bottom-line is money, reputation, a mission, or process. How will the organization address risk from the top down? Risk is addressed at every level of the organization from the very top to the bottom. NIST 800-39 breaks this all down in tiers.

To address the actual risk and organization must be able to predict the likelihood of a harmful event (threat) adversely affecting an asset vulnerability.

Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk

An organization uses a quantitative approach to analyzing and managing the risk to its resources. To do this, they must identify the threat, the asset, the vulnerability and countermeasures (security controls) of the asset. They must determine the level of impact that the organization would suffer if the harmful event occurs. To determine all this they must do risk assessments.