|
Your organization should now have completed the Assessing Risk phase and
developed a prioritized list of risks to its most valuable assets. Now you must
address the most significant risks by determining appropriate actions to
mitigate them. This phase is known as Conducting Decision Support. During the
previous phase, the Security Risk Management Team identified assets, threats to
those assets, vulnerabilities that those threats could exploit to potentially
impact assets, and the controls already established to help protect the assets.
The Security Risk Management Team then created a prioritized list of risks.
The decision support process includes a formal cost-benefit analysis with
defined roles and responsibilities across organizational boundaries. The
cost-benefit analysis provides a consistent, comprehensive structure for
identifying, scoping, and selecting the most effective and cost efficient
mitigation solution to reduce risk to an acceptable level. Similar to the risk
assessment process, the cost-benefit analysis requires strict role definitions
in order to operate effectively. Also, before conducting the cost-benefit
analysis, the Security Risk Management Team must ensure that all stakeholders,
including the Executive Sponsor, have acknowledged and agreed to the process.
During the Conducting Decision Support phase, the Security Risk Management
Team must determine how to address the key risks in the most effective and cost
efficient manner. The end result will be clear plans to control, accept,
transfer, or avoid each of the top risks identified in the risk assessment
process. The six steps of the Conducting Decision Support phase are:
- Define functional requirements.
- Select control solutions.
- Review solutions against the requirements.
- Estimate the degree of risk reduction that each control provides.
- Estimate costs of each solution.
- Select the risk mitigation strategy.
When comparing the value of a particular control to that of another, there
are no simple formulas. The process can be challenging for a variety of reasons.
For example, some controls impact multiple assets. The Security Risk Management
Team must agree on how to compare the values of controls that impact different
combinations of assets. Additionally, there are costs associated with controls
that extend beyond the implementation of those controls. Related questions to
consider include:
- How long will the control be effective?
- How many person hours per year will be required to monitor and maintain
the control?
- How much inconvenience will the control impose on users?
- How much training will be needed for those responsible for implementing,
monitoring, and maintaining the control?
- Is the cost of the control reasonable, relative to the value of the
asset?
The remainder of this chapter will discuss answers to these questions.
You will attain success during the decision support process if you follow a
clear path and if participants understand their respective roles at each step.
The following diagram illustrates how the Security Risk Management Team conducts
the decision support process. Mitigation Owners are responsible for proposing
controls that will lessen the risk and then determining the cost of each
control. For each proposed control, the Security Risk Management Team estimates
the degree of risk reduction that the control can be expected to provide. With
these pieces of information, the team can then conduct an effective cost-benefit
analysis for the control to determine whether to recommend it for
implementation. The Security Steering Committee then decides which controls will
be implemented.
|
Call Now : 800-519-
2267
|
Testimonials
|
If you're serious about getting certified,
this is the place to go. Definitely worth
their competitive price. Excellent
instructors, making it possible for anyone
to learn no matter what your level of
experience or knowledge.
Michael Doty
|
 |
|
No Prestudy