Security Architecture and Organization

To effectively manage risk it necessary to have an operational framework in order to begin to understand what possible risk are faced by your organization.  A security architecture includes both technical and non-technical components.  It is not just a list of firewalls or other security controls that exist to protect the information assets of the organization.

Risk Identification and Assessment

Using the Security Architecture an Organization as a starting point, risks faced by the organization can be identified.  If you begin to find risks that are not addressed by the architecture or fall outside the organizations structure, it is time to reassess your architecture and/or organization.  These activities are heavily influenced by the regulatory environment the in which the organization operates.  Once you have identified a stable risk model you can create assessments that will measure your level of risk remaining and permit you to make informed decision about how to handle each element of risk.

Risk Treatment

Once you have identified and assessed the risks the organization faces it now time to make some decisions about how to deal with those risks that are at unacceptable levels.  There are 4 acceptable responses to risk:

  • Avoid the Risk
  • Transfer the Risk
  • Mitigate the Risk
  • Accept the Risk

It is not appropriate to "Ignore" the risk.

Security Architecture and Organization

qtq80-NDMGGd

All organization should have an established Security Architecture and identified Security Organization.  In smaller organizations, this will tend to be simpler and the Security Organization will be replaced by specific, security related tasks being done by existing staff.  In larger complex organizations, especially those in regulated industries, these will also be more complex and have dedicated staffs.  I can assist in the creation or review of your organization's architecture and organization.

Risk Identification and Assessment

qtq80-18ekYW

Based on your organization's business and regulatory environment, the processes to identify and assess the risks go from straight forward to very complex.  Smaller organizations can keep track of risk and assessment using manual methods but larger, complex and regulated organization will need to consider a GRC tool.  I have implemented both a manual approach and then migrated that process to a RSA/Archer's GRC tool.  In my opinion the Archer tool provides the mix of Archer-delivered structure and content with the flexibility to make modifications to fix an organization's preferences.

Risk Treatment

qtq80-4S6fNW

Based on your organization's business and regulatory environment, the processes to deal with risks go from straight forward to very complex.  Smaller organizations can make these decisions and track the results of those decisions using manual methods but larger, complex and regulated organization will need to consider a GRC tool.  I have implemented both a manual approach and then migrated that process to a RSA/Archer's GRC tool.  In my opinion the Archer tool provides the mix of Archer-delivered structure and content with the flexibility to make modifications to fix an organization's preferences.

Next Steps...

Please contact me to discuss how I can help with any portion of your Risk Management activities.

Contact Me