The J.D. Fox Exec Risk Management Process
Introduction
Below is a detailed outline of how we'll perform Risk Management activities during development of your security programs. The Risk Management process is an essential part of developing your Information Security Policy, Disaster Recovery plan, and Business Continuity plan. With it, we will methodically determine which are the most significant threats and vulnerabilities to address, and what controls will best mitigate them.
The knowledge on this page was developed through years of studying and analyzing best practices doctrine, as well as applying it to real-world situations. It is a workable, tested, and effective method, which produces measurable results. It is shared here so you can see the logical flow you can expect from all activities when you engage J.D. Fox Exec to improve your Business Systems Management.
This particular outline is, as referenced above, focused on Risk Management for Information Security and Business Continuity. For most businesses, both of these programs are driven by critical dependency on information technology (IT), and this is addressed by steps that are IT-focused. In particular, the metrics for Business Impact Analysis, the Threat Modeling process, and the Vulnerability Management Program are constructed specifically to address the manner in which information technology interacts with and supports your operations. The Risk Management process for other components of your Enterprise Risk Management program (such as market risk or financial risk) will follow the same method overall, but the details would differ significantly.
Notice that, unlike many articles you might find elsewhere about Risk Management, the below describes a process that creates valuable knowledge assets for your business. These assets will provide consistent decision support, cost savings, and impact mitigation so long as they are regularly maintained, and you can see that maintenance is built-in to the process outlined below. The J.D. Fox Exec process will provide continuous, measurable value; it is certainly not a mere one-time exercise.
Risk Management Steps
- Establish scope. For example, for J.D. Fox Exec, this will be for Information Security, Disaster Recovery, and Business Continuity. But, in certain situations we may perform Risk Management for something quite narrow, such as the risk of downtime for a specific computer application, or breach of highly confidential business data.
- Top management or business owner establishes goals and objectives, and describes risk tolerance levels, based on intimate knowledge of short- and long-term objectives, operations, and financial position.
- Depending on level of formality and breadth of scope, we may choose to write a charter or policy establishing a budget, schedule, and roles and responsbilities for the risk management program development.
- Identify and classify relevant assets for protection from risk. This includes physical assets, information assets, intangible assets, human resources, supply chains, and service providers.
- Develop a list of critical functions and dependencies, where relevant to the scope.
- Identify constraints, such as from statute, regulations, or policies.
- Identify existing business processes, practices, and policies from all departments.
- Perform Business Impact Analysis (BIA). This will take all the information gathered in steps 2 through 7, and define the Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) for protected assets and functions.
- Perform Risk Assessment, which involves these steps:
- Perform Threat Modeling.
- Perform Vulnerability Management. This mostly applies to information technology.
- With the threat modeling data, the current state of vulnerabilities, and the BIA, we can determine the likelihood and impact of events, system failures, or security breaches that will cause loss or degradation of assets, disruption of critical functions of your business, or otherwise cause financial loss or loss of reputation. It is in this step where we will accurately quantify risks, in dollar amounts, using a synthesis of well-tested methods such as NIST 800-30 and the FAIR framework.
- Identify the potential events, system failures, or security breaches which are currently above risk thresholds given their quantified risk.
- Develop potential risk reduction controls for these.
- Analyze these controls. Determine the implementation cost of each control, and by how much it will reduce associated potential losses.
- Document the risk that would remain after the control is implemented (residual risk). Then, apply analysis and additional controls to the residual risk, and repeat until residual risk is below risk acceptable levels.
- Define assessment criteria (metrics), and collect baseline data.
- Create a plan for implementation of approved controls, including collection of performance data.
- Monitor and track implementation using project management techniques. Collect data on metrics.
- Set schedule to review steps 2 through 9.
Examples
Click here for a simple example of Risk Management process, including assessment criteria for risk controls, baseline data, and performance data.