Please enable JavaScript.

Coggle requires JavaScript to display documents.

Information risk management is the practice of balancing business…

- - - - types of loss
        
        • Productivity Lost productivity caused by the incident
        
        • Response The cost expended in incident response
        
        • Replacement The expense required to rebuild or replace an asset
        
        • Fines and judgments All forms of legal costs resulting from the incident
        
        • Competitive advantage Loss of business to other organizations
        
        • Reputation Loss of goodwill and future business
      - way threat agent acting
        
        • Access Reading data without authorization•
        
        Misuse Using an asset differently from intended usage
        
        • Disclose Threat agent shares data with other unauthorized parties
        
        • Modify Threat agent modifies asset
        
        • Deny use Threa
  - - - perimeters
        
        Hardware Assets
        
        This includes the make, model, serial
        
        number, asset tag number, logical name, and any other means for identifying the asset.
        
        Initially, this may signify the purchased value but
        
        may also include its depreciated value if an IT asset management program is associated with the organization’s financial asset management program.
        
        Location
        
        Security management programs
        
        almost always include a plan for classifying the sensitivity of information and/or information systems. Example classifications include secret, restricted, confidential, and public.
        
        Asset group
        
        Owner
        
        Occasionally, the ownership and operations of
        
        assets will be divided into two bodies, where the owner owns them but a custodian operates or maintains them.
        
        Subsystem and Software Assets
        
        Information Assets
        
        Customer information
        
        Intellectual property
        
        Business operations
        
        Organizations that use
        
        infrastructure as a service (IaaS) have virtual operating systems that are another form of information. Even though these operating systems are not purchased but instead are rented, there is nonetheless an asset perspective: they take time to build and configure and therefore have a replacement cost. The value of assets is discussed more fully later in this section.
        
        Cloud-Based Information Assets
        
        Virtual Assets
        
        virtualization
        
        SDN
      - Asset Classification
        
        determine criticality for each assets
        
        information sensitivity
        
        operational dependency
        
        perimeter
        
        information classification
        
        Monetary value
        
        information
        
        must be available at all times, or perhaps the information is related to some factors of business resilience. Examples of information in this category include virtual server images, incident response procedures, and business continuity procedures. Corruption or loss of this type of information may have a significant impact on ongoing business operations.
        
        Accuracy or integrity
        
        Sensitivity
        
        System Classification
        
        classified according to the highest classification level of information stored, processed, or transmitted through it
        
        zones of protection
        
        Data, asset, and systems classification can often be extended to
        
        facilities classification in larger organizations. Facilities classification is a method for assigning classification or risk levels to work centers and processing centers, based on their operational criticality or other risk factors. The purpose for facilities classification is to develop more consistent security controls for facilities with similar risk levels.
        
        Information Classification levels
        
        With too many levels of classification, there is a greater
        
        chance that information will be misclassified and then put at risk when handled at a too low a level. With too few levels, the organization will either have excessive resources protecting all information at a higher level or insufficient resources protecting information inadequately.
        
        classic levels
        
        Merger and acquisition plans, user and system
        
        account password, and encryption keys
        
        Credit card numbers, bank account numbers,
        
        Social Security numbers, detailed financial records, detailed system configuration, and vulnerability scan reports
        
        System documentation, end-user
        
        documentation, internal memos, and network diagrams
        
        Marketing collateral, published financial reports,
        
        and press releases
      - Asset valuation
        
        Methods
        
        Qualitative Asset Valuation
        
        Quantitative Asset Valuation
        
        value
        
        If the asset is a hardware asset, its
        
        valuation might be determined to be the cost ofpurchasing (and deploying) a replacement. If the asset is a database, its cost might be determined to be the operational costs to restore it from backup or the costs to recover it from its source such as a service provider.
        
        value of an asset in the organization’s financial system, typically the purchase
        
        price less depreciation.
        
        If the asset directly or
        
        indirectly generates revenue, this valuation method may be used.
        
        If the asset is a virtual machine, its
        
        valuation might be determined to be the cost of setting it up again. This is typically a soft cost if it is set up by internal staff, but it could be a har
        
        If the asset is a database, its cost might be determined to be the cost of
        
        creating it again. If the asset is intellectual property such as software source code, its valuation might b
        
        If the asset is a database
        
        containing sensitive data, its valuation might be measured in the form of financial costs that result from its theft or compromise. While the cost of recovering that database may be relatively low, the consequences of its compromise could cost hundreds of dollars per record. This is a typical cost when measuring the full impact of a breach.
    - - ALTERNATIVE (from internet)
        
        process
      - Risk Assesment
        
        Risk identification
        
        x
        
        This includes an overall risk
        
        assessment or a focused risk assessment.
        
        notion that is found out in an other place in the process
        
        scope
        
        overall
        
        focused
        
        This may be one of several activities, including a security scan, a penetration test, or a source code scan.
        
        For each asset, business process, and staff members being examined, vulnerabilities need to be identified.
        
        Then, various threat scenarios are examined to
        see which ones are made more likely because of
        corresponding vulnerabilities.
        
        Vulnerability Identification
        
        forms of vulnerabilities
        
        5 more items...
        
        detection technics
        
        1 more item...
        
        location
        
        2 more items...
        
        This is an advisory from a product vendor, threat intelligence feed, or news story.
        
        Threat actors
        
        The identification of threats is a key step in a risk assessment. A
        
        threat is defined as an event that, if realized, would bring harm to an asset and, thus, to the organization
        
        Definition
        
        1 more item...
        
        methods
        
        1 more item...
        
        types
        
        3 more items...
        
        Risk analysis
        
        probability and impact of occurence
        
        Notions
        
        ISO: Risk is the combination of the probability of an event
        
        and its consequence.” This is an excellent way to understand risk in simple, non-numeric terms.
        
        Risk = threats × vulnerabilities
        
        Risk = threats × vulnerabilities × asset value
        
        Risk = threats × vulnerabilities × probabilities
        
        Likelihood of a serious security
        
        incident has less to do with technical details and more to do with the thought process of an adversary
        
        Here, the risk analyst studies event scenarios and calculates the
        
        likelihood that an event associated with the risk will occur. This is typically expressed in the number of likely events per year.
        
        considerations
        
        5 more items...
        
        mpact is perhaps the most important attribute to
        
        understand for a threat scenario. A risk assessment can describe all types of threat scenarios, the reasons behind them, and how they can be minimized, but without understanding the impact of threat scenarios, a risk manager cannot determine how important one threat is from another, in terms of the urgency to mitigate the risk.
        
        The risk analyst studies different event scenarios and determines the impact of each. This may be expressed in quantitative terms
        
        (dollars or other currency) or qualitative terms (high/medium/low or a numeric scale of 1 to 5 or of 1 to 10).
        
        is the actual or expected result from some action such as a threat or disaster
        
        scenarios
        
        10 more items...
        
        evaluation
        
        3 more items...
        
        he risk analyst studies different available methods for mitigating the risk. Depending upon the type of risk, there are many techniques, including
        
        changing a process or procedure, training staff, changing architecture or configuration, or applying a security patch.
        
        After studying a risk, the risk analyst may develop a recommended course of action to address the risk. This reflects that fact that the individual
        
        performing risk analysis is often not the risk decision- maker.
        
        the security manager examines assets,
        
        together with associated vulnerabilities and likely threat scenarios.
        
        consideration
        
        dimensions of an asset
        
        • Asset value
        
        • Threat scenarios
        
        • Threat probabilities
        
        • Relevant vulnerabilities
        
        • Existing controls and their effectiveness
        
        • Impact
        
        business criticality
        
        if BIA is available.
        
        Gathering Information
        
        approaches
        
        Quantitative Risk Analysis
        
        Semiquantitative Risk Analysis
        
        Qualitative Risk Analysis
        
        difficulties
        
        2 more items...
        
        Methods
        
        Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
        
        steps
        
        8 more items...
        
        Here, questionnaires are distributed to a
        
        panel of experts in two or more rounds. A facilitator will anonymize the responses and distribute them to the experts. The objective is for the experts to converge on the most important risks and mitigation strategies.
        
        Derived from the fault tree
        
        analysis method (described next), ETA is a logic-modeling technique for analysis of success and failure outcomesgiven a specific event scenario, in this case a threat scenario.
        
        This is a logical modeling
        
        technique used to diagram all the consequences for a given event scenario. FTA begins with a specific scenario and proceeds forward in time with all possible consequences. A large “tree” diagram can result that depicts many different chains of events.
        
        Derived from Monte Carlo
        
        computational algorithms, this analysis begins with a given system with inputs, where the inputs are constrained to minimum, likely, and maximum values. Running the simulation provides some insight into actual likely scenarios.
        
        Risk Evaluation and Ranking
        
        The results of a risk assessment should be analyzed in several different ways
        
        •Looking at all risks by business unit or service line
        
        •Looking at all risks by asset type
        
        •Looking at all risks by activity type
        
        •Looking at all risks by type of consequence
        
        better approach
        
        improve or reorganize the access or vulnerability management programs from the top down
        
        Organizations need to consider not just the details in a risk assessment but the big picture
        
        notes
        
        risk with low probability of occurrence and high impact
        
        1 more item...
        
        Risk Ownership
        
        Residual Risk
        
        risk that remains after risk treatment is applied
        
        Controls
        
        when an organization identifies a risk in a risk assessment, the organization might decide to develop (or improve) a control that will mitigate the risk that was found.
        
        Legal and Regulatory Considerations
        
        regulations approaches
        
        Mandatory protective measures
        
        Optional protective measures
        
        1 more item...
        
        Mandatory risk assessments
        
        Compliance risk
        
        forms
        
        2 more items...
        
        notes
        
        1 more item...
        
        Costs and Benefits
        
        ponder options for risk treatment
        
        regarding expected benefits
        
        considerations
        
        Change in threat probability
        
        Change in threat impact
        
        Aside from the
        
        direct cost of the mitigating control, organizations need to understand the impact on the mitigating control on other operations. For instance, adding code review steps to a software development process may mean that the development organization may complete fewer fixes and enhancements in a given period of time.
        
        When an organization
        
        considers a mitigation plan, the best approach is tounderstand its total cost of ownership, which may include costs for the following: • Acquisition • Deployment and implementation • Recurring maintenance • Testing and assessment • Compliance monitoring and enforcement • Reduced throughput of controlled processes • Training • End-of-life decommissioning
        
        2 more items...
        
        individual decision-maker
        
        or committee makes a decision about a specific risk
        
        decision
        
        the organization elects to take no action
        
        related to the risk.
        
        framework
        
        have to be reviewed annually
        
        • The value of the asset may have changed during the year.
        
        • The value of the business activity related to the asset mayhave changed during the year.
        
        • The potency of threats may have changed during the year, potentially leading to a higher risk rating.
        
        • The cost of mitigation may have changed during the year, potentially leading to greater feasibility for risk mitigation or transfer.
        
        The organization chooses to mitigate the risk.
        
        This takes the form of some action that serves to reduce the probability of a risk event or reduce the impact of a risk event. The actual steps taken may include business process changes, configuration changes, the enactment of a new control, or staff training.
        
        Risk mitigation may, at times, result in a task that can be
        
        carried out in a relatively short period of time. However, riskmitigation may also involve one or more major projects that start in the future, perhaps in the next budget year or many months or quarters in the future. Further, such a project may be delayed, its scope may change, or it may be canceled altogether. For this reason, the security manager needs to carefully monitor risk mitigation activities to ensure they are completed as originally agreed so that the risk mitigation is not forgotten
        
        The practice of transferring risk is typically
        
        achieved through an insurance policy, although other forms are available, including contract assignment.
        
        decision to employ an external organization to accept the risk
        
        cyber-risk insurance
        
        purchase of an incident response retainer
        
        A risk assessment may reveal the absence of security
        monitoring of a critical system. Another form of risk transfer involves the use of an external security services provider to perform monitoring of the critical system.
        
        the organization chooses to discontinue the
        
        activity associated with the risk. This choice is typically selected for an outdated business activity that is no longer profitable or for a business activity that was not formally approved in the first place.
        
        decision to discontinue that activity that precipitates the
        risk
        
        ignoring
- - - - log of historic and newly identified risks
        
        contains risk metadata about each risk that helps security managers and executives understand all of the organization’s risks, including information that helps them understand which risks are more serious than others, which are associated with various business activities, and other means of categorization that are useful to the organization
      - A risk register is a business record that contains information about business risks and information about their origin, potential impact, affected assets, probability of occurrence, and treatment. A risk register is the central business record in an organization’s risk management program, the set of activities used to identify and treat risks.
      - forms
        
        risk register can be stored in a spreadsheet, database, or within a governance, risk, and compliance tool used to manage risk and other activities in the security program
      - entries
        
        table
        
        suite
      - Sources of Information for the Risk Register
        
        Risk assessment
        
        Vulnerability assessment
        
        Internal audit
        
        Threat intelligence
        
        Industry development
        
        New laws and regulations
        
        Consultants
      - Strategic vs. Tactical Risks
      - Risk Analysis Contribution
  - - - executive management will prioritize business functions
      - established by conducting a business impact analysis
      - ornerstone objective in business continuity planning (BCP)
  - - - It would be a mistake to call MTD a target, but sometimes it is referred to as a target. It would be better to consider MTD as an arbitrary “point-of-no-return” time value.
      - acceptable interruption window (AIW)
    - - maximum acceptable outage (MAO)
      - Like MTD, MTO is not a target, but when MTO is set, then recovery targets such as RTO, RPO, and RCapO can be established.
    - - dimension
        
        quantity of work
        
        quality
        
        timeliness
        
        remedies for shortfalls
        
        quality
        
        quantity
  - - - seek to discover risks and develop remedies for events that threaten business operations and the ongoing viability of an organization
      - rely on risk assessments to identify risks that will require mitigation
      - can rely on the results of a business impact analysis to better understand the criticality of business processes and the interdependency of processes and assets.
      - identifies threats that, if unchecked, could unfold into disaster scenarios
      - Many of the threat scenarios in a risk assessment are disaster situations used in business continuity planning
  - - - Shared Responsibility Model
      - Security Shared Responsibility Model
    - - Initial Assessment Prior to the establishment of a business relationship
        
        assess and evaluate the third party for suitability
        
        equire that each third party provide information describing its services, generally in a structured manner
        
        request for information (RFI)
        
        request for proposal (RFP)
      - Legal Agreement
        
        Security and/or privacy program
        
        Security and/or privacy controls
        
        Vulnerability assessments
        
        External audits and certifications
        
        Security incident response
        
        Security incident notification
        
        Right to audit
        
        Periodic review
        
        Annual due diligence
        
        Cyber insurance
      - Classifying Third Parties
        
        Questionnaires and Evidence
        
        artifacts
        
        • Security policy
        
        • Security controls
        
        • Security awareness training records
        
        • New-hire checklists
        
        • Details on employee background checks (not necessarily actual records but a description of the checks performed)
        
        • Nondisclosure and other agreements signed by employees
        
        (not necessarily signed copies but blank copies)
        
        • Vulnerability management process
        
        • Secure development process
        
        • Copy of general insurance and cyber insurance policies
        
        • Incident response plan and evidence of testing
        
        Assessing Third Parties To discover risks to the business, organizations need to assess their third parties, not only at the onset of the business relationship (prior to the legal agreement being signed, as explained earlier) but periodically thereafter.
        
        risks
        
        • Financial risk
        
        • Geopolitical risk
        
        • Inherent risk
        
        • Recent security breaches
        
        • Lawsuits
        
        • Operational effectiveness/capabilities
  - - - Threat modeling Implemented during the design phase to anticipate potential threats and incorporate design features to block them.
      - Coding standards Standards that specify allowed and disallowed coding techniques, including those more likely to introduce security defects and other defects.
      - Code reviews Reviews performed by peers that are part of the program development and maintenance process. Apeer is more likely to find defects in security problems than the developer who wrote the code.
      - Code scanning Performed in the developer’s IDE or executed separately in the developers’ central software build environments.
      - Application scanning Performed on web applications to discover exploitable defects.
      - Application penetration testing Performed periodically by internal personnel or by qualified security advisory firms.
      - CONCEPT
        
        security by design
    - - request for change
        
        • Description of the change
        
        • Reason for the change
        
        • Who will perform the change
        
        • When will the change be performed
        
        • A procedure for making the change
        
        • A procedure for verifying the change
        
        • A back-out procedure in case the change cannot be verified
        
        • Security impact of the change and also of not implementing the change
        
        • Privacy impact
        
        • Dependencies
        
        • Defined change windows
    - - Protection of configuration management data from unauthorized access
      - Inclusion of security-related information in configuration management data
    - - primary security- and risk-related considerations
        
        Security or risk component associated with an
        
        incident IT personnel analyzing an incident or problem need to understand the security nature of the incident or problem, including whether the incident or problem has an impact on security. For instance, a malfunctioning firewall may be permitting traffic to pass through a control point that should not be permitted. Further, many security incidents are first recognized as simple malfunctions or outages and recognized later as symptoms of an attack. For example, users complaining of slow or unresponsiveservers may be experiencing the effects of a distributed denial-of-service (DDoS) attack on the organization’s servers, which, incidentally, may be a diversionary tactic to an actual attack occurring elsewhere in the organization. In the context of problem management, a server suffering from availability or performance issues may have been compromised and altered by an attacker.
        
        Security or risk implication associated with actions to restore service IT personnel analyzing an incident and working to restore service need to understand the security and risk impact that their analysis and corrective actions have on IT systems and associated information. For example, rebooting a security server in an attempt to remedy a situation may result in a loss of visibility and/or protection from events.
        
        Security or risk implications associated with root-cause analysis (RCA) Root-cause analysis is defined as the analysis of a problem in order to identify its underlying origin, instead of merely its symptoms and factors. IT personnel analyzing a problem must be aware of the security and risk considerations while performing root-cause analysis. IT personnel need the skills to recognize the security and risk implications of symptoms and origins. For example, a problem with server availability was traced to some file system permissions that were set improperly; those file system permission changes affected the ability for users to directly access sensitive data that should be accessed only by an application.
        
        Security or risk implications associated with corrective action IT personnel analyzing a problem must be aware of the security and risk implications of changes being considered within business processes and technology. For instance, an application malfunction that is corrected by elevating its service account to the privileged (administrative) level may solve the underlying access permission error, but it creates significant risks as well.
    - - ways
        
        Ensuring that business continuity and disaster recovery planning adequately covers information and physical security concerns
        
        Ensuring that information and physical security risks exist on a common risk register and are managed in a common risk management and risk treatment process
        
        Ensuring that information systems with high availability requirements are located in facilities with high availability as part of their design
        
        Ensuring that IP-based physical security assets and systems are incorporated into the organization’s overall technology and security architecture, with adequate protection based on risk
        
        ncorporating physical facilities into the organization’s information and asset classification program so that facilities and work centers can also be rated and adequately protected based on classification and risk
        
        Incorporating physical facility access into the organization’s identity and access management program
        
        Ensuring that supervisory control and data acquisition (SCADA) and industrial control systems (ICS) are supporting, monitoring, and controlling the environmental systems that support information technology such as heating, ventilation, and air-conditioning (HVAC) and that physical access control systems are monitored in a common monitoring platform
    - - Background checks
        
        Background checks Prior to hiring an individual, an organization uses various means to verify the background of a candidate and to ensure that they are free of a criminal history and other undesired matters.
      - Legal agreements
        
        Legal agreements An organization will generally direct new employees to agree to and sign legal documents including nondisclosure, non compete, and compliance with security and other organization policies.
      - Training
        
        Training HR organizations are typically responsible for delivering training of all kinds to its workers, including but not limited to security awareness training. This helps workers in the organization better understand the organization’s security policy, the importance of information and asset protection, and practices in place for information protection.
      - Development and management of roles
        
        Development and management of roles HR organizations typically create and maintain job descriptions, which should include security-related responsibilities, and a hierarchy of positions in the organization.
      - Most HR organizations today utilize an
        
        HRIS for all official records concerning its workers. Many HRIS systems today are integrated with an organization’s identity and access management system: when an employee is hired, transferred, or terminated, a data feed from the HRIS to the identity and access management (IAM) platform ensures that axis management information and systems are kept up-to-date. This makes it all the more important that HRIS systems have accurate information in them.
    - - Risk analyses should be performed at the onset of a project
      - The impact of a project or program on the organization’s security, compliance, and privacy must be established prior to any procurement, development, or implementation
      - Security requirements need to be included in any activity where requirements are developed
  - - - Security manager
        
        performrisk monitoring
        
        report risk levels
        
        identify unexpected changes in risks levels
        
        Information security managers should periodically meet with senior managers and executives to give them an update on key changes in the information security program and on changes to key risk indicators.
        
        executive management
        
        senior management
    - - internal audit
      - control self-assessment
      - vulnerability assessments
      - risk assessments
    - - often done using dashboards, which may be part of a GRC system’s risk management function that permits drill-down when desired
    - - measure of information risk
        
        reveal trends
        
        level of risk of security incident
      - areas
        
        • Number of security incidents resulting in external notifications
        
        • Changes in attrition rates for IT workers and for key business employees
        
        • Amount of money paid out each quarter in an organization’s bug bounty program
        
        • Percentage of employees who have not completed the required security training
        
        • Numbers of critical and high risks identified in risk assessments
      - The most useful key risk indicators are those that serve as
        
        leading indicators, which communicate increases or decreases in the probability of future security incidents and events
  - - - majority of security incidents happen because of human
        error.
    - - • Lack of awareness of the risks associated with general computing and Internet use
      - • Lack of training and experience in the configuration and operation of systems and applications
      - • Lack of training and awareness of key business processes and procedures
      - • Lack of information on workers’ responsibilities for reporting problems and incidents
  - - - • Policy and objectives, such as how risk management is run in the organization
      - • Roles and responsibilities, such as who is responsible for various activities
      - • Methods and techniques, such as how probability and impact of risks are evaluated and scored
      - • Locations for data storage and archival, such as where the risk register and risk treatment records reside
      - • Risk tolerance, such as how acceptable and unacceptable risks are defined
      - • Business rules for why something is included in the risk register
      - • Risk treatment procedures and records
      - • Procedures and methods for the development of metricsand key risk indicators
      - • Communication and escalation protocols defined
      - • Review cycle defined to be sure the program is in alignment with the business
- - - - support from executive management
      - organization’s culture with respect to security awareness
        and accountability
  - - - Organization
        
        Mission
        
        Objectives
        
        Goals
      - risk tolerance
        
        stated
        
        unstated
      - financial health
      - Management
        
        structure
        
        Support
      - Culture
    - - Legal obligations
        
        Applicable laws
        
        Regulation
        
        ..
      - Market condition
      - Industry sector
      - climates
        
        social
        
        political
      - customer base/type
  - - - risk aware planning
      - thinking
      - decision-making
  - - - based
        
        business objectives
      - defined
        
        success criteria
        
        business requirement
        
        technical requirement
      - prior to
        
        purchase specific technologies
- - - - related
        
        Executive management’s risk appetite
        
        risk tolerance
        
        ability to absorb losses
        
        ability to build defenses
        
        Regulatory and legal requirements
    - - people
      - processes
      - technology
  - - - implementation
      - refinement
  - - - other instances or pockets of risk management
      - ERM (if existing)
  - - - stakeholders
        
        how the risk management program will work
        
        the role they will play in it being an effective program in
        achieving business objectives
      - Successful information risk management requires that the channels of communication be open at all times and operate in all directions
    - - security awareness
        
        applies to an entire organization
      - the goal of risk awareness is to ensure that business leaders and decision-
        
        makers are aware of the idea that all business decisions have a risk component and that many decisions have implications on information risk. Further, they need to be aware of the presence of a formal information risk management program, which includes a process and techniques for making risk-aware decisions.
        
        encompasses senior personnel who are involved in
        the risk management process
    - - may be done directly by security manager
        
        keys
        
        • Ability to listen to business leaders
        
        • Ability to assess the information and how it may impact a process or business unit, as well as identify other areas in the business the issue may cascade to
        
        • Have a good understanding of the business, not just the technology supporting the business
- - - - — Requirements.”
        
        Requirements 4 through 10 in this standard describe the structure of an entire information security management system (ISMS) including risk management.
      - • ISO/IEC 27005, “Information Technology — Security
        Techniques — Information security risk management.”
      - • ISO/IEC 31010, “Risk management — Risk assessment
        techniques.”
      - • NIST Special Publication 800-37, “Guide for Applying the
        Risk Management Framework to Federal Information
        Systems: A Security Life Cycle Approach.”
      - • NIST Special Publication 800-39, “Managing Information
        Security Risk.”
      - • COBIT 5.
      - • RIMS Risk Maturity Model.
      - • Facilitated Risk Assessment Process.
    - - select frameworks aligned with organization practicies
      - select elements from one or more frameworks to build the organization’s risk management program
    - - program scope
      - Information risk objectives
      - information risk policy
      - Risk appetite/tolerance
      - Roles and responsibilities
      - risk management lie-cycle process
      - Risk management documentation
      - Management renew
- - - - market economic conditions
      - applicables régulation
  - - - understand current state
      - develop adequate plan for future state
        
        define
        
        document
        
        highlight
  - - - • Security round tables
      - • Organization chapters
        
        • Information Systems Security Association (ISSA)
        
        • International Information Systems Security Certification Consortium, known as (ISC)2
        
        • ISACA (formerly known as the Information Systems Audit and Control Association)
        
        • Society for Information Management (SIM)
        
        • Society of Information Risk Analysts (SIRA)
        
        • Cloud Security Alliance (CSA)
        
        • InfraGard
        
        • International Association of Privacy Professionals
        (IAPP)
      - Published risk management practices
        
        • (ISC)2
        
        • ISACA
        
        • SANS Institute
      - Sources for security industry news
        
        • Information Security Magazine
        
        • SC Magazine
        
        • CSO Magazine
        
        • CIO Magazine
        
        • Dark Reading
        
        • TechTarget
        
        • (ISC)2
        
        • ISACA
        
        • SANS
      - Reports from research organizations