Security Risk Management
Establish an approach to the profiling of security threats and the assessment, prioritization, treatment, and monitoring of security risks and vulnerabilities.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Risk Management at each level of maturity.
- 2Basic
- Practice
- Establish basic information security threat profiling and risk and vulnerability management approaches.
- Outcomes
- Basic threat profiles are used in a small number of high security risk management activities.
- The risks identified include those associated with major pain-points and current trends.
- Metrics
- # of threat areas covered by the threat profile.
- % of identified risks whose impact/likelihood exceed the organization's risk tolerance.
- % of identified risks that are assigned owners.
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- 3Intermediate
- Practice
- Implement an agreed and documented set of information security threat profiling and risk and vulnerability management approaches.
- Outcomes
- The threat profiles cover several areas and provide greater awareness of new and emerging threats.
- Most security risks and vulnerabilities are effectively managed.
- Metrics
- # of threat areas covered by the threat profile.
- # of threat agents identified.
- % of identified risks whose impact/likelihood exceed the organization's risk tolerance.
- % of identified risks that are assigned owners.
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- 4Advanced
- Practices
- Enhance the information security threat profiling and risk and vulnerability management approaches with automation, and ensure security features can dynamically adjust to the detected threat levels.
- Mandate and enforce compliance with the approaches for all security risk and vulnerability management activities.
- Outcome
- All security risks and vulnerabilities are effectively managed; and consistent information is available on them, which can be taken into account in decision-making processes.
- Metrics
- # of threat areas covered by the threat profile.
- # of threat agents identified.
- % of identified risks whose impact/likelihood exceed the organization's risk tolerance.
- % of identified risks that are assigned owners.
- % of prioritized risks mitigated to within the organization's risk tolerance threshold.
- 5Optimized
- Practice
- Continually inform the information security threat profiling and risk and vulnerability management approaches with the latest recommendations from security agencies, vendors, and emerging research, and further improve them based on changes in the risk landscape and lessons learned from previous information security incidents across the business ecosystem.
- Outcome
- Threat profiles and risk and vulnerability management approaches are kept up-to-date and relevant through collaborative input and review processes and the latest industry thinking.
- Metrics
- Frequency of threat profile updates.
- Frequency of the risk management review cycle.