What is your risk management framework? What’s your process for managing risks?

12.8k views3 Upvotes4 Comments

Assistant Director IT Auditor in Education, 10,001+ employees
Assistant Director IT Auditor in Education, 10,001+ employees
Implementing a risk management framework is not an easy task, it is a very comprehensive and involves all departments of the organization.  Whatever RMF you decided you use (NIST, ITIL, COBIT, etc.)  will have to be tailored to your organization to align with your business processes and objectives, i.e., use components of the framework that fits your business needs, otherwise, your cost will be very high and success may not be realized.
VP of Global IT and Cybersecurity in Manufacturing, 501 - 1,000 employees
NIST CSF/800 , aligns nicely with ISO 27k. 
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
I created a hybrid of a few frameworks that works for me and has passed ISO27001, PCI-DSS and STAR.  It scores 80+ threats (natural, human, software, physical…) from 1 - 1,000 with anything above 400 requiring treatment.  Lower scores may still require treatment for a specific category (e.g. Impact) that was “scored in the red” even though the overall score is below 400.  I then score each of those threats against the Critical Functions of the BIA so I can further pinpoint the scope of the threat.  I perform this annually and share with the Steering Committee. This has resulted in both minor (badge to print to control personal use) and major changes (moved from DC to AWS for DR risk).  After sharing with the Committee I create Jira tickets to track and then apply remediation timelines based on risk (High 30 days.....).  Once resolved I share with the Committee and everything is documented in the quarterly Committee meeting notes.                       

Content you might like

Strongly agree5%




Strongly disagree0%

Other (please specify)0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments