For proper cyber protection, an Enterprise must have its own cyber risk management or employ expert third-party firms. Either way, each organization must have its own Information Systems Risk Management (ISRM) policy. This policy is not to be confused with the overall company-wide risk management framework (ISRM policy is a subset of the overall risk management policy).
ISRM Policy: What it is
This is an organization’s set of guidelines that form the foundation for performing risk identification, assessment, and mitigation on information security issues alone. It also contains direction about the communication channel to report risks to management and how to execute management decision.
ISRM Policy: What should it include
Just like the company-wide risk management program, the ISRM policy should be holistic. According to Harris et al., ISRM policy should contain the following:
- Objectives of the policy
- Acceptable level of risk by your company
- Formal process of risk identification
- Connection between ISRM policy and your organization’s strategic planning processes
- Responsibilities that fall under ISRM and the roles to fulfill them
- Mapping risks to internal controls
- The approach in changing staff behaviors and resource allocation in response to risk analysis
- Mapping risks to performance targets and budgets
- Key indicators to monitor the effectiveness of controls
Personally, I would add the following the list:
- Formal process of risk assessment and mitigation
- Communication channel between risk team and management
- Development training for effective risk management
ISRM Policy: How it is implemented on front line of defense
So what does this mean to the SOC Analyst or Cyber Security Consultant on the front line of defense? The risk changes from project to project but the ISRM Policy serves as a firm standard for reference. Despite the situation at hand, he or she should follow the set procedures for risk management, use the medium for communicating cyber risk to management, and always look for ways to improve (through training, seminars etc.).
As you would expect, this is the case with all who are involved in offering information security risk services – they will all follow the ISRM policy which provides the strategy.