A risk management policy should be in support of the organizations mission and deliverable, and should be ratified by executive management and based on high priority. The risk management policy statements should place a very high priority on managing organizational risk both strategically and systematically. This policy will be the catalyst for all other risk management activities within the organization.
Information security groups can use the risk management policy to ensure that Any risk assessment methodology is followed and used pervasively across the organization. Risk management should begin at the highest level and should be applied consistently to all levels of the organization and management. This will ensure that all staff and management understand their responsibilities and will integrate risk management into their daily procedures, processes and practices.
The main goals of a Risk Management Policy include:
- Enhance stakeholder and staff safety,
- Ensure that the knowledge, skills and attitudes required for successful risk management are included in appropriate departmental training and career development courses,
- Integrate risk management into our daily decision making processes,
- Ensure that departmental risks are identified, monitored and treated,
- Integrate risk assessment and departmental planning processes, and
ensure departmental key performance indicators include the risk management processes.
Risk management methodology
Once any risk management policy is ratified we must consider the whole process of risk management and the framework that must exist for it to be a successful tool in assessing were to place the correct information security controls. A risk management framework involves defining a risk assessment approach in which risks will be identified and analyzed enabling a business to effectively devise effective treatments for the identified risks.
The ISO 27002 offers great direction when developing an effective risk management policy framework, this direction states the following:
- Identifying the organization’s assets and the owners of the assets. This is all about knowing what you need to protect and who is responsible.
- Identifying the threats to the assets along with the vulnerabilities that may be exploited. This is an analysis of how the assets may be compromised.
- Identifying the impacts that losses of confidentiality, integrity and availability of the assets may have on the business. In this step, the organization determines what would be the impact or lost value to the organization if the asset was compromised.
- Assessing the realistic likelihood of a security failure leading to the compromise of the asset. With the completion of this step, the organization can calculate the risks it faces, make a conscious decision to accept individual risks, or set priorities on the implementation of security controls to mitigate the risks.
The risk methodology selected does not have to be complex, expensive or over-reaching; it must however, ensure the risk assessments produce comparable and reproducible results.
A risk assessment methodology will help an business to organize and perform risk assessments as part of a project life-cycle. There are currently many available methodologies to use some more complicated than others. A good approach is to always use a simple and easily understood methodology which can be learned quickly and applied effectively. If a project team finds a methodology difficult to learn and implement the risk of the whole process being performed ineffectively is increased due to complexity.
No matter which approaches taken the objectives for risk assessment never change these objectives are to identify risks, vulnerabilities, and potential threats, and determine the likely realization of a threat exploiting vulnerability and the resulting impact to the business.
All of this may sound daunting but managed correctly it can be easily integrated into current business processes. Of course sometimes risk assessments can be a nuisance to operational groups so getting them involved and educating them on the methodology is absolutely necessary if your risk management efforts are to be successful. Some organizations outsource this function to bring objectivity into the assessment process and using an outsider can sometimes be a political move as it involves the outsider giving bad news to management instead of in-house staff. (Everybody likes to shoot a messenger)
Risk management process
For a small organization this process can be extremely simple and done very quickly with little or no politics to consider. Performing a quick calculation and applying the correct controls can take a short time to accomplish.
Any risk assessment process should be passive in nature and initiated early on in the project’s life cycle. By doing this resources can be allocated to particular risks which have been identified avoiding frustration. On many occasions risk assessments are done at the end of projects which can cause extreme amount of stress to operational groups because identified risks need treating delaying projects and costing money.
A good reference can be found here