At times I thirst for a dictum, especially when I have more ‘important’ things to deal with, more lucrative opportunities to pursue. Other things I deem more exciting than ‘Risk Assessment Frameworks.’
Except, like me you are here, so maybe risk assessment frameworks don’t qualify.
- ISO 27005
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- Control Objectives for Information and Related Technologies (COBIT)
- NIST Frameworks: 800-53 Series, Cybersecurity Framework
So now you that you have selected the Risk Assessment Framework for your organization, what’s next?
Have you considered the outcome of your choice? Did you begin with the end in mind?
Strategy ignites the ‘PoP.’ Prepare on Purpose.
Therefore, your chosen Risk Management framework helps to birth a sound Risk Assessment Strategy.
It must answer the following questions:
- Is the IT professional that is responsible for the risk assessment, whether the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) or other, part of the executive management team or has a direct channel of communication to it?
- Does he/she have a clear understanding of the organization’s business goals, potential threats, and the likelihood of compromise and/or the impact loss?
- Has the chosen security framework been evaluated in light of the risk level that is appropriate for the organization and its key assets?
- Does the outcome of the risk assessment include the development of an effective risk-mitigation and data-protection strategy that addresses the entire organization, including mobile workers, third-party vendors and supply chain partners?
- Most organizations have already been breached. Others will be. There is no perfect security system that will prevent a breach. Does the security strategy include this reality?
- The best strategy is to put state-of-the-art protections in place as you apply diligence. And, to have an appropriate focus on swift breach detection, response and recovery. Does executive management embrace this philosophy and therefore ready to make the evolving financial investment?
- Has a road map been created for the evolution of the Capability Maturity Model (CMM) with the ultimate goal of continuous process improvement? And, is monitoring feedback from current processes while introducing innovations to meet the organization’s needs the natural security posture?
Did you catch the spin in this post?
I asked you to pick one of the Risk Assessment Frameworks but, ‘suggested’ that you highly consider the NIST Frameworks.
Oh the power of fonts!
It’s just a suggestion. No dictum here.
Regardless of your choice, remember that a framework is effective only when it is able to identify, protect, detect, respond and recover from a breach.
You are an architect my friend.
Go ahead, flex those muscles and build!
Build from a sound Risk Assessment Framework.