IVI Framework Viewer

Security Risk Handling

C4

Implement strategies for handling information security risk, including risk acceptance, transfer, absorption, and mitigation, as appropriate. Promote interaction with incident management functions.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Risk Handling at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Establish a basic process for developing and implementing security risk-handling strategies. Ensure prioritized risks are handled within IT.
    Outcome
    Consistent incident handling is emerging and improving reaction times are evident. Prioritized risks are handled within IT but some problems may occur when mitigating the potential consequences of these risks.
    Metric
    % Prioritized security risks mitigated to within the organizations risk tolerance threshold # Time to closure of incidents # Time to closure of incidents by assigned priority
3Intermediate
  • Practice
    Assign responsibility for ownership of security risks and risk-handling strategies and handle prioritized risks within IT and some business units.
    Outcome
    A defined policy with clear responsibility for ownership assignment to identified risks exists in IT. Prioritized risks are addressed and can be mitigated as appropriate.
    Metric
    # Identified risks that are assigned owners % Prioritized security risks mitigated to within the organizations risk tolerance threshold
4Advanced
  • Practice
    Establish a multi-disciplinary organization-wide committee to assign ownership for security risk-handling. Ensure the process for implementing security risk handling strategies is followed organization-wide.
    Outcome
    Ownership for security risk-handling is assigned to experts using a stable process. Prioritized security risks are handled reliably organization-wide.
    Metric
    # Identified risks that are assigned owners % Prioritized security risks mitigated to within the organizations risk tolerance threshold
5Optimized
  • Practice
    Review and optimize the process for implementing security risk-handling strategies and assigning risk ownership within the organization as well as for the interface to external parties.
    Outcome
    The security risk-handling process is improved through feedback.
    Metric
    Ratio of potential cost of IT risk and annual sales Ratio of potential cost of IT risk and annual profit Ratio of potential cost of IT risk and provisions for IT risk % of prioritized security risks mitigated to within the organizations risk tolerance threshold