IVI Framework Viewer

Security Risk Assessment

C2

Identify exposures to security-related risks, and quantify their likelihood and potential impact.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Risk Assessment at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Establish a security risk assessment process in IT and ensure subject matter experts are identified within IT by system or process owners. Use IT specific risk measures/metrics during risk assessments.
    Outcome
    Security risk assessments are conducted by qualified staff and there is confidence in any assessment findings. The risks identified include major pain-points and current trends but lack consistency. Security risk assessments include IT metrics that are typically focused on technical assets but no consistent metrics framework is in place.
    Metric
    # Subject Matter Experts identified for security risk assessments in IT % Identified risks whose impact/likelihood exceed the organization's risk tolerance
3Intermediate
  • Practice
    Use IT and business metrics in risk assessments. Conduct security risk assessments on a regular basis and involve subject matter experts from IT and some business areas. Use dimensions and information from security risk profiles for assessment and ensure complete assessment of exposures.
    Outcome
    Risk assessments include IT and business metrics that are typically focused on business assets and processes. A consistent metrics framework is used. Regular risk assessments facilitate collection of comparable data; and encourage follow-through on risk-handling. Consistent information is available on risks in IT and some business areas; information is sufficient for risks to be taken into account in decision-making processes.
    Metric
    # Subject Matter Experts identified for risk assessment in IT # Subject Matter Experts identified for risk assessment in business units Risk exposure for each identified risk % Identified risks whose impact/likelihood exceed the organization's risk tolerance
4Advanced
  • Practice
    Define and use assessment metrics that are linked to the impact on business processes. Ensure the security risk assessment process including the use of metrics, is consistently used organization-wide and is aligned with and updated according to enterprise risk assessment processes.
    Outcome
    An organization-wide, holistic and stable metrics framework exists. There is clear linkage between business process impact and risk. Consistent information is available on all risks organization-wide; information is sufficient for risks to be taken into account in decision-making processes.
    Metric
    € Risk exposure for each identified risk % of identified risks whose impact/likelihood exceed the organization's risk tolerance
5Optimized
  • Practice
    Ensure the security risk assessment process is agile and adaptable to the needs of the business ecosystem, considers long-term risks and is continually optimized.
    Outcome
    The expanded scope of Security Risk Management allows for inclusion of long-term risks and adaptability to the complexity and scope of the business ecosystem operating model.
    Metric
    Time horizon for risks