The Security Risk Management Guide
The Security Risk Management Guide Overview
Chapter 1: Introduction to the Security Risk Management Guide
Chapter 1 introduces the Security Risk Management Guide (SRMG) and provides a brief overview of subsequent chapters. It also provides information about the following:
- Keys to succeeding with a security risk management program
- Key terms and definitions
- Style conventions in the papers
- References for further information
Chapter 2: Survey of Security Risk Management Practices
Chapter 2 lays a foundation and provides context for the SRMG by reviewing other approaches to security risk management and related considerations, including how to determine your organization’s risk management maturity level.
Chapter 3: Security Risk Management Overview
Chapter 3 provides a more detailed look at the four phases of the SRMG process while introducing some of its important concepts and keys to success. The chapter also offers advice on preparing for the program by planning effectively and placing strong emphasis on building a solid Security Risk Management Team that has well defined roles and responsibilities.
Chapter 4: Assessing Risk
Chapter 4 addresses the first phase, Assessing Risk, in detail. Steps in this phase include planning, data gathering, and risk prioritization. Risk prioritization itself is comprised of summary and detailed levels, balancing qualitative and quantitative approaches in order to provide reliable risk information within reasonable trade-offs of time and effort. The output from the Assessing Risk phase is a list of significant risks with detailed analysis that the team can use to make business decisions during the next phase of the process.
Chapter 5: Conducting Decision Support
Chapter 5 addresses the second phase, Conducting Decision Support. During this phase, teams determine how to address the key risks in the most effective and cost efficient manners. Teams identify controls; estimate costs; assess the degree of risk reduction; and then determine which controls to implement. The output of the Conducting Decision Support phase is a clear and actionable plan to control or accept each of the top risks identified in the Assessing Risk phase.
Chapter 6: Implementing Controls and Measuring Program Effectiveness
Chapter 6 addresses the final two phases of the SRMG: Implementing Controls and Measuring Program Effectiveness. During the Implementing Controls phase, the Mitigation Owners create and execute plans based on the list of control solutions that emerged during the decision support process.
When the first three phases of the security risk management process are complete, organizations should estimate their progress with regard to security risk management as a whole. The final phase, Measuring Program Effectiveness, introduces the concept of a “Security Risk Scorecard” to assist in this effort.
Appendix A: Ad-Hoc Risk Assessments
Appendix B: Common Information System Assets
Appendix C: Common Threats
Appendix D: Vulnerabilities