As we mentioned in the previous blog post, defining the information risk management principles and designing the framework is the starting point. The next step is setting up the information risk management process. There are five essential steps to implementing an effective information risk management process, as shown below.
Information riks management process flow
One of the key challenges to implementing the effective information risk management process is people often don't follow it. A few primary reasons for this are that its purpose is unclear, or people do not know how it works. Effective information risk management process starts with a clear purpose and context, a guideline to manage risks, and proper communication.
In this post, we cover the context of the information risk management process. Setting the context is a starting point. It defines the scope, standard criteria of the process, and requirements for the team that will manage the process.
A well-defined context helps involved people focus on the essential activities, manage resources effectively, and bring clarity for everyone.
The context of the information risk management process
The practical way to define the information risk management process's scope is to align it with the scope of the Information Security program. The Information risk management process should not go beyond the organization defined to protect.
For example, suppose the information security program's scope is to ensure confidentiality, integrity, and availability of customer data. In that case, the information risk management process should address risks related to customer data. Therefore, the process can cover all organizational structures, processes, software, and hardware assets that process the customer data.
Make the process scope as straightforward as possible, document it in the policy, and communicate to make everyone aware of it.
The next step is to define the information risk management process's criteria. It provides simplicity and clarity to the process. Below are three essential criteria for you to use:
risk evaluation,
risk impact and,
risk acceptance.
Risk evaluation criteria should help to determine circumstances and the type of assets to assess the risk.
For example, information security risks must be assessed and treated before any system processing client's confidential information will be used.
Risk impact criteria help the risk assessor and asset owner to understand the magnitude of the damage or cost in case risk materializes. The below points you can define the impact criteria:
classification of the information asset,
loss of confidentiality, integrity, or availability of the information,
disruptions to business deadlines or commitments,
financial or reputational loss.
For example, the risk causing to loss of the confidentiality of highly confidential information can have a high impact, or the unavailability of the organization's website can have a low impact.
Risk acceptance criteria help to determine when and how to accept the risk. It is crucial to building an effective information risk management process. When defining the criteria, you should consider when and how to accept the risk. Also, important to consider the business, legal and regulatory requirements, technological and operational dependency, and social and cultural factors.
For example, you can set the criteria to automatically accept all low-level risks or risks that may cause a loss of less than $5000. Alternatively, any risk that causes more than $5000 in loss must be reviewed and approved by the risk committee or COO.
It's also possible that the organization may have different acceptance criteria for the different classes of risks.
Without clearly defining the roles and responsibilities, there will be no effective process. Therefore, there should be a team with clear roles and responsibilities to set up and manage the process. When designing responsibilities consider to address:
Development of the information risk management process that meets the leadership expectations;
Identification of the stakeholders involved in the process;
Definition of the responsibilities of both internal and external parties;
Implementation of escalation procedures;
The requirements to keep the information risk management process's documents.
All this information should be documented in the information risk management policy or framework document and communicated.
The core outcome of this step is to ensure that key roles and responsibilities are identified, set, and communicated and people know their responsibilities.
In the next blog post, we describe how to design the information risk assessment process effectively.