The proposed approach is self-directed, meaning that people from an organisation assume responsibility for assessing the risks, selecting controls and thus setting the organisation’s security strategy. This technique leverages people’s knowledge of their organisation’s security-related practices and processes to:
- capture the current state of security practice within the organisation,
- identify risks to the most critical assets,
- prioritize areas of improvement and set the security strategy for the organisation.
The objectives behind the introduction of this risk assessment and risk management approach are to:
Improve existing Information Security Thresholds. The approach can be used as a catalyst to accelerate SME efforts towards information security risk management by addressing high risks. Furthermore, by targeting typical threat scenarios it will ultimately improve existing information security thresholds.
Fulfil business requirements, context, and constraints typically found in SMEs environments by avoiding specialized terminology and eliminating highly demanding tasks incorporated in almost every existing, wide-spread professional methodology and industry standard (i.e. asset evaluation, business impact analysis, identification of security requirements etc.).
Use a self-directed approach tailored to the means, resources and expertise typically found in an SME environment.
Focus on critical assets and highest risks. The method was developed as a simple and easy guide for identifying and protecting assets judged to be most critical to the organisation.
Develop a measure-independent risk assessment and management method. For the purpose of producing a first practical and realistic output
Our next installment – IT Risk & Security : Working Assumptions