Conducting Decision Support and Implementing Controls and MeasuringProgram Effectiveness

Conducting Decision Support

Identifying Output for the Decision Support Phase

Key Elements to Gather:

1. Decision on How to Handle Each Risk

• Determine whether to accept, transfer, avoid, or mitigate each identified risk.

1. Functional Requirements

• Document the specific requirements and objectives that control solutions need to meet.

1. Potential Control Solutions

• List possible control solutions that can address the identified risks.

1. Risk Reduction of Each Control Solution

• Assess and document how much each control solution reduces the risk.

1. Estimated Cost of Each Control Solution

• Calculate and record the costs associated with each control solution, including implementation and maintenance.

1. List of Control Solutions to Be Implemented
   

• Finalize and list the control solutions selected for implementation based on their effectiveness and cost.

Considering the Decision Support Options

Options for Handling Risk: ATAM

1. Accept:

• Decide to accept the risk and its potential impact without taking further action.

• Suitable for low-probability or low-impact risks.

1. Transfer:

• Shift the risk to another party, often through insurance or outsourcing.

• Used when another party can manage the risk more effectively.

1. Avoid:

• Take actions to completely eliminate the risk.

• Ideal for high-impact risks that can be avoided through strategic decisions.

1. Mitigate:

• Implement measures to reduce the probability or impact of the risk.

• Commonly used for manageable risks that can't be entirely avoided.

Steps in Risk Mitigation Strategy Selection

Step 1: Define Functional Requirements

• Determine what the control solutions must achieve.

• Outline specific requirements and objectives that the solutions need to fulfill.

Step 2: Identify Control Solutions

• Gather potential control solutions that can address the identified risks.

• Involve the security risk management team and security steering committee to brainstorm and select viable options.

Step 3: Review Solutions Against Requirements

• Evaluate the identified control solutions against the defined functional requirements.

• Ensure the solutions align with the objectives and meet the necessary criteria.

Step 4: Estimate Degree of Risk Reduction

• Assess how much each control solution will reduce the risk.

• Estimate the effectiveness of each solution in mitigating the identified risks.

Step 5: Estimate Cost of Each Solution

• Calculate the costs associated with implementing each control solution.

• Include all potential expenses, such as installation, maintenance, and operation costs.

Step 6: Select the Risk Mitigation Strategy

• Choose the most appropriate risk mitigation strategy based on the analysis.

• Consider the balance between risk reduction and the cost of the control solutions.

• Involve the mitigation owner, security risk management team, and security steering committee in the final decision-making process.

Conducting Decision Support: Best Practices

1. Assign a Security Technologist to Each Risk

• Designate a knowledgeable expert to manage and address each identified risk.

1. Set Reasonable Expectations

• Ensure that goals and outcomes are realistic and achievable, considering resources and constraints.

1. Build Team Consensus

• Encourage agreement and collaboration among team members to support the chosen risk mitigation strategies.

1. Focus on the Amount of Risk After the Mitigation Solution

• Concentrate on evaluating the residual risk remaining after implementing the mitigation solution to ensure it is within acceptable levels.

Implementing Controls and Measuring Program Effectiveness

Organizing the Control Solutions

Critical Success Determinants:

1. Communication: Ensure clear and continuous dialogue among team members.

2. Team Scheduling: Coordinate schedules effectively to align team efforts.

3. Resource Requirements: Identify and allocate necessary resources for control implementation.

Organizing by Defense-in-Depth

1. Network: Implement security measures at the network level.

2. Host: Secure individual devices and systems.

3. Application: Protect applications and software.

4. Data: Ensure the security of data, both in transit and at rest.

5. Physical: Implement physical security measures to protect hardware and facilities.

Implementing Controls

• Execute and put in place the decided security measures.

Conducting Decision Support

• Make informed decisions on risk mitigation strategies based on gathered data.

Measuring Program Effectiveness

1. Develop Scorecard: Create a tool to evaluate and track security performance.

2. Measure Control Effectiveness: Assess how well the controls are working through various methods.

Developing a Security Risk Scorecard for Your Organization

• Risk Levels (H, M, L): Use a simple scorecard to evaluate risks across Defense-in-Depth layers (e.g., Physical, Network, Host, Application, Data).

Measuring Control Effectiveness

1. Direct Testing: Perform hands-on evaluations of control measures.

2. Submitting Periodic Compliance Reports: Regularly report on adherence to security policies.

3. Evaluating Widespread Security Incidents: Analyze incidents to measure control performance.

Summary

1. Decide on Risk Management Methodology: Choose an approach for managing risks.

2. Determine Your Maturity Level: Assess your organization’s current capability in risk management.

3. Conduct Risk Assessment: Identify and evaluate potential risks.

4. Conduct Decision Support: Use data to support risk management decisions.

5. Implement Controls & Measure Effectiveness: Apply controls and continually assess their performance.

Goals of Risk Management Framework

Goals of Risk Management Framework

1. Integrate Enterprise Risk Management: Embed risk management in the performance management cycle of the organization.

2. Communicate Benefits: Highlight the advantages of risk management to the organization.

3. Convey Policy and Approach: Explain the organization's policy, approach, and attitude toward risk management.

4. Set Scope and Application: Define the extent and use of risk management within the organization.

5. Establish Roles and Responsibilities: Determine who is responsible for managing risk.

6. Consistent Approach: Ensure a uniform method for managing risks, aligned with standards and best practices.

7. Escalate and Report Risks: Outline the process for raising and reporting risks.

8. Commitment to Review: Show the organization's dedication to periodically reviewing and improving the risk management framework.

9. Describe Resources: Identify resources available to those accountable for managing risks.

10. Meet Reporting Obligations: Ensure the department fulfills its risk reporting requirements.

Benefits of Risk Management

1. Effective Management: Handle adverse events or opportunities that impact goals and objectives.

2. Informed Decisions: Make decisions regarding potential negative effects of risk and opportunities.

3. Improved Planning: Enhance planning and performance management processes, focusing on core business and improvements.

4. Resource Allocation: Direct resources to the most significant risks.

5. Avoid Surprises: Achieve greater organizational efficiencies by avoiding unexpected events.

6. Positive Culture: Foster a culture where everyone understands their role in achieving objectives.

Benefits of Risk Management (Detailed)

1. Creating and Protecting Value: Contributes to achieving objectives and improving performance in governance, project management, and safety.

2. Integral to Processes: Not an isolated activity; part of governance, accountability, performance management, planning, and reporting.

3. Part of Decision-Making: Helps make informed choices, prioritize activities, and identify effective actions.

4. Addressing Uncertainty: Identifies and addresses uncertainty through risk assessments and controls.

5. Systematic and Structured: Ensures efficiency and consistent, reliable results.