IT Risk & Security : Approach & Methodology

The proposed approach is self-directed, meaning that people from an organisation assume responsibility for assessing the risks, selecting controls and thus setting the organisation’s security strategy. This technique leverages people’s knowledge of their organisation’s security-related practices and processes to:

  •  capture the current state of security practice within the organisation,
  •  identify risks to the most critical assets,
  •  prioritize areas of improvement and set the security strategy for the organisation.

The objectives behind the introduction of this risk assessment and risk management approach are to:

  • Improve existing Information Security Thresholds. The approach can be used as a catalyst to accelerate SME efforts towards information security risk management by addressing high risks. Furthermore, by targeting typical threat scenarios it will ultimately improve existing information security thresholds.
  • Fulfil business requirements, context, and constraints typically found in SMEs environments by avoiding specialized terminology and eliminating highly demanding tasks incorporated in almost every existing, wide-spread professional methodology and industry standard (i.e. asset evaluation, business impact analysis, identification of security requirements etc.).
  • Use a self-directed approach tailored to the means, resources and expertise typically found in an SME environment.
  • Focus on critical assets and highest risks. The method was developed as a simple and easy guide for identifying and protecting assets judged to be most critical to the organisation.
  • Develop a measure-independent risk assessment and management method. For the purpose of producing a first practical and realistic output

Our next installment – IT Risk & Security : Working Assumptions

Speak Your Mind

*

*