Security Risk Handling
Implement strategies for handling information security risk, including risk acceptance, transfer, absorption, and mitigation, as appropriate. Promote interaction with incident management functions.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Risk Handling at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Establish a basic process for developing and implementing security risk-handling strategies. Ensure prioritized risks are handled within IT.
- Outcome
- Consistent incident handling is emerging and improving reaction times are evident. Prioritized risks are handled within IT but some problems may occur when mitigating the potential consequences of these risks.
- Metric
- % Prioritized security risks mitigated to within the organizations risk tolerance threshold # Time to closure of incidents # Time to closure of incidents by assigned priority
- 3Intermediate
- Practice
- Assign responsibility for ownership of security risks and risk-handling strategies and handle prioritized risks within IT and some business units.
- Outcome
- A defined policy with clear responsibility for ownership assignment to identified risks exists in IT. Prioritized risks are addressed and can be mitigated as appropriate.
- Metric
- # Identified risks that are assigned owners % Prioritized security risks mitigated to within the organizations risk tolerance threshold
- 4Advanced
- Practice
- Establish a multi-disciplinary organization-wide committee to assign ownership for security risk-handling. Ensure the process for implementing security risk handling strategies is followed organization-wide.
- Outcome
- Ownership for security risk-handling is assigned to experts using a stable process. Prioritized security risks are handled reliably organization-wide.
- Metric
- # Identified risks that are assigned owners % Prioritized security risks mitigated to within the organizations risk tolerance threshold
- 5Optimized
- Practice
- Review and optimize the process for implementing security risk-handling strategies and assigning risk ownership within the organization as well as for the interface to external parties.
- Outcome
- The security risk-handling process is improved through feedback.
- Metric
- Ratio of potential cost of IT risk and annual sales Ratio of potential cost of IT risk and annual profit Ratio of potential cost of IT risk and provisions for IT risk % of prioritized security risks mitigated to within the organizations risk tolerance threshold