In this video, Kip Boyle discusses the key planning points for measuring information risks. Learn key tools and techniques to manage information risk in a information security program.
- The rest of the videos in this course will describe how to manage information risks at an executive level. To get the greatest return for our efforts, we'll use everything that we've covered so far about information security program design. Done well, you'll be able to manage information and cyber risks, while at the same time meeting the four goals of your information security program which are to achieve your customer's expectations, be resilient to cyber attacks and cyber failures, be compliant with laws and regulations, and support your executives and the board of directors.
To provide useful examples throughout the rest of this course, I'll be showing you the tools and methods I use when I'm on the job. Here's our overall planning approach. It has five phases. We'll start by doing a fair amount of prep work, then we'll measure our risks. Once we have our measurement data, we can analyze it to understand which risks should be top priority for us. That will set us up to propose specific actions to manage our most serious risks. Finally, we'll regularly communicate the results with our key stakeholders.
Right now, let's dive into preparation. By now you should have chosen your framework and the controls you'll expect to see your organization following. I'll Use the NIST Cybersecurity Framework for the rest of this course. You also need to set the scope of your risk management efforts. It's usually best to focus on your highest value information assets like trade secrets, your finances, and sensitive information about your employees and customers. There's a lot of work and you'll need to coordinate with many other people including your boss, so be sure to document your schedule and refer to it as you go.
You should include major milestones, the specific tasks that need to be done, the names of people assigned to each task, and deadlines for all tasks and milestones. If you're not sure how to do all that, get help from someone in your organization who's experienced with project management. On a related note, you'll need a communications plan. The plan is actually a package of specific messages you'll deliver through various channels at specific times to set expectations and gain support from your boss, peers, and other stakeholders.
In my experience, sending an email to someone a day or two before you need something to support this work won't be good enough. So unless you're experienced at creating a communications plan that utilizes a sequence of prewritten messages delivered over multiple channels, I encourage you to get some help from someone in your organization who's done it a few times. You'll also need a single place to record your measurements. I use a Microsoft Excel workbook. It not only holds my data, it let's me perform some basic statistics and visualization so I can better understand and explain my data to others.
We'll cover data analysis later in the course. You'll need to interview experts from across your organization to know what's really going on at ground level. That means you'll have to figure out who to interview and create a questionnaire to focus the interviews. You'll also need to provide your experts with a score key which will help you to standardize the raw data you collect. You might also want to use some data generated by your security systems. If so, you'll need to come up with a way to fit that data into your measurement system.
We'll cover all this later in the course. Finally, there are many different ways to measure information risks. You'll need to choose one, and we'll soon cover how to make that choice.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance