Risk Management Methods and Frameworks Part II
Risk Management Framework
A continuous risk management process is a necessary part of any approach to Information security. Information security risk includes risks found in artifacts during assurance activities, risks introduced by insufficient process, and personnel related risks. A risk management framework is an essential philosophy for approaching security work. Following the risk management framework introduced here is by definition a full life-cycle activity. For the purposes of this description, consider risk management a high-level approach to iterative risk analysis that is deeply integrated throughout the system development life cycle.
This Risk Management Framework described here is a mixed version of the both qualitative and quantitative frameworks combined to create a more open framework that includes advantages and excludes disadvantages of qualitative and quantitative approaches. This is accomplished through the application of five simple stages, relevant technical expertise, tools, and technologies that produce a reasonable risk management approach.
This Risk Management Framework consists of the five fundamental stages shown in Figure 1:
1.Establish the business context and goals
2.Identify the business risks.
3.Analyze and prioritize the risks.
4.Evaluate the risks.
5.Define the risk treatment strategy.
A continuous risk management process is a necessary part of any approach to Information security. Information security risk includes risks found in artifacts during assurance activities, risks introduced by insufficient process, and personnel related risks. A risk management framework is an essential philosophy for approaching security work. Following the risk management framework introduced here is by definition a full life-cycle activity. For the purposes of this description, consider risk management a high-level approach to iterative risk analysis that is deeply integrated throughout the system development life cycle.
This Risk Management Framework described here is a mixed version of the both qualitative and quantitative frameworks combined to create a more open framework that includes advantages and excludes disadvantages of qualitative and quantitative approaches. This is accomplished through the application of five simple stages, relevant technical expertise, tools, and technologies that produce a reasonable risk management approach.
Risk Management Framework Stages
This Risk Management Framework consists of the five fundamental stages shown in Figure 1:
1.Establish the business context and goals
2.Identify the business risks.
3.Analyze and prioritize the risks.
4.Evaluate the risks.
5.Define the risk treatment strategy.
Figure 1
Preceding the five stages we also have an activity that cannot be omitted from the approach. Above the afore mentioned five stages we introduce the communicate and consult activity. Consultation and communication are both key components of the risk management process and a major beneficial side effect. Successful risk management relies on achieving a high level of creative input and involving all parties with a role to play in achieving a successful outcome for the project or business process being addressed. In both the planning and execution of the risk management process, it is important to ensure that all those who need to be involved are given adequate opportunity to do so and are kept informed of developments in the understanding of risks and the measures taken to deal with them.
Following the five steps of this Risk Management Framework is another activity that includes monitoring and reviewing the success of the treatment process and take the necessary actions to sustain this status. There are two levels to the underlying monitoring and review component of the process. The outputs of the other five stages must be kept under review as time moves on. Changes in the environment or simply the discovery of better information might make the original assessment out of date. It is not generally necessary to begin the whole process over again when this happens, unless the change is significant, but those parts which are directly affected by changing circumstances must be brought up to date. The second component of this part of the process, is the monitoring of the operation of the other five stages. The execution of the risk management process absorbs resources and must be managed to ensure that it is conducted cost-effectively.
