What is a Security Program Management?
An organization depends on information technology to access critical information and promote communications and coordination among groups inside and outside the organization. In other words, information technology is a strategic asset vital to your organization's viability. It's essential to build a secure information technology infrastructure and manage it with well-deployed processes and tools.
Poor security management leads to organizations who:
Are not fully aware of the information security risks to their operations.
Accept an unknown level of risk by default rather than consciously deciding what level of risk was tolerable.
Have a false sense of security because they were relying on ineffective controls.
Deal with security on an ad-hoc reactive basis.
They cannot make informed judgments, whether they were spending too little or too much of their resources on security.
Security Risk Management Phases:
Phase 1: Systems Inventory → Begin with those most critical assets to the continued accomplishment of the organization's mission.
Critical – The organization cannot operate with this asset even for a short period.
Essential – The organization could work around the loss of the information asset for days or perhaps a week, but eventually, the information asset would have to be returned for use.
Regular – The organization can operate without this information asset for a finite period during which units or individuals may be inconvenienced and need to identify alternatives.
Phase 2: Threat Analysis → Identify potential threats that are critical to systems. It must involve business process owners and business process users. They are the ones who can recognize and appreciate the threats that have a vital livelihood of adversely affecting their ability to accomplish their critical functions.
Phase 3: Infrastructure Vulnerability Assessment → Identifying technologies vulnerabilities that can be exploited. The target system has been identified, and the internal and external experts should examine the IT systems for weaknesses that could be exploited and the likelihood of someone attacking it. This should lead to a list of actions to correct. Many of these will be corrected on the spot but still should be documented. Some of the vulnerabilities may not be immediately correctable, but the process will document and recognize these vulnerabilities for subsequent risk management decisions.
Phase 4: Developing Security recommendation → The first three phases give you a measure of risk, threats, and vulnerabilities and an understanding of how these impact the organization's business. The risk-analysis process should lead an organization to not only control risk but also defining residual risk. Controls are aimed at mitigating recognized risks to an acceptable level to the business. Implementation is a risk/value proposition because all controls have costs associated with them. These costs are associated with operations and maintenance as well as usability, scalability, and performance. Evaluating controls based on business risk lets you establish a coherent plan for risk mitigation as opposed to pointing solutions aimed at technical challenges.
Phase 5: Decision → The should be a strategic and tactical action plan provided or in place. Business owners must be responsible for the decision phase with IT and security personnel. Informed decisions can be made with a focus on ensuring the continuation of business-critical assets and processes. Possible decisions are to accept the risk (do nothing), mitigate the risk (implement controls), or transfer the risk (buy insurance). The decision to implement controls should be based on the business value it adds. Risk management is not a goal in itself; information should be protected only in support of a business need or requirement. Such requirements should be spelled out in information security policies. Risk assessment builds a linkage between business needs and the security program. Onerous(Involving heavy operations) decisions that negatively impact the business practices, real or perceived, is best made in an informed manner and then documented and communicated.
Phase 6: Communication and Monitoring → User and management buy-in are critical to the successful implementation of control. The final stages of the process are making sure that risk-assessment results are communicated to business-process owners and end-users, and the results, both positive and negative, are monitored and assessed for net effect.
Risk Management Cycle
Assessing risks and determining the necessary protection requirements.
Selecting and implement cost-effective policies and controls to meet these needs.
Promote awareness of policies and controls of the risks that prompted their adoption among those responsible for complying with them.
Implement a program of routine tests and examinations to evaluate the effectiveness of policies and related controls.
Report the resulting conclusions to those who can take an appropriate and corrective action.
References : https://www.sans.org/cyber-security-courses/intro-risk-assessment/