Security Risk Assessment
Identify exposures to security-related risks, and quantify their likelihood and potential impact.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Risk Assessment at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Establish a security risk assessment process in IT and ensure subject matter experts are identified within IT by system or process owners. Use IT specific risk measures/metrics during risk assessments.
- Outcome
- Security risk assessments are conducted by qualified staff and there is confidence in any assessment findings. The risks identified include major pain-points and current trends but lack consistency. Security risk assessments include IT metrics that are typically focused on technical assets but no consistent metrics framework is in place.
- Metric
- # Subject Matter Experts identified for security risk assessments in IT % Identified risks whose impact/likelihood exceed the organization's risk tolerance
- 3Intermediate
- Practice
- Use IT and business metrics in risk assessments. Conduct security risk assessments on a regular basis and involve subject matter experts from IT and some business areas. Use dimensions and information from security risk profiles for assessment and ensure complete assessment of exposures.
- Outcome
- Risk assessments include IT and business metrics that are typically focused on business assets and processes. A consistent metrics framework is used. Regular risk assessments facilitate collection of comparable data; and encourage follow-through on risk-handling. Consistent information is available on risks in IT and some business areas; information is sufficient for risks to be taken into account in decision-making processes.
- Metric
- # Subject Matter Experts identified for risk assessment in IT # Subject Matter Experts identified for risk assessment in business units Risk exposure for each identified risk % Identified risks whose impact/likelihood exceed the organization's risk tolerance
- 4Advanced
- Practice
- Define and use assessment metrics that are linked to the impact on business processes. Ensure the security risk assessment process including the use of metrics, is consistently used organization-wide and is aligned with and updated according to enterprise risk assessment processes.
- Outcome
- An organization-wide, holistic and stable metrics framework exists. There is clear linkage between business process impact and risk. Consistent information is available on all risks organization-wide; information is sufficient for risks to be taken into account in decision-making processes.
- Metric
- € Risk exposure for each identified risk % of identified risks whose impact/likelihood exceed the organization's risk tolerance
- 5Optimized
- Practice
- Ensure the security risk assessment process is agile and adaptable to the needs of the business ecosystem, considers long-term risks and is continually optimized.
- Outcome
- The expanded scope of Security Risk Management allows for inclusion of long-term risks and adaptability to the complexity and scope of the business ecosystem operating model.
- Metric
- Time horizon for risks