What is your risk management framework? What’s your process for managing risks?

Governance, Risk & ComplianceSecurity & GRC
12.8k views3 Upvotes4 Comments
Assistant Director IT Auditor in Education, 10,001+ employees
NIST RMF
2
Assistant Director IT Auditor in Education, 10,001+ employees
Implementing a risk management framework is not an easy task, it is a very comprehensive and involves all departments of the organization.  Whatever RMF you decided you use (NIST, ITIL, COBIT, etc.)  will have to be tailored to your organization to align with your business processes and objectives, i.e., use components of the framework that fits your business needs, otherwise, your cost will be very high and success may not be realized.
1
VP of Global IT and Cybersecurity in Manufacturing, 501 - 1,000 employees
NIST CSF/800 , aligns nicely with ISO 27k. 
1
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
I created a hybrid of a few frameworks that works for me and has passed ISO27001, PCI-DSS and STAR.  It scores 80+ threats (natural, human, software, physical…) from 1 - 1,000 with anything above 400 requiring treatment.  Lower scores may still require treatment for a specific category (e.g. Impact) that was “scored in the red” even though the overall score is below 400.  I then score each of those threats against the Critical Functions of the BIA so I can further pinpoint the scope of the threat.  I perform this annually and share with the Steering Committee. This has resulted in both minor (badge to print to control personal use) and major changes (moved from DC to AWS for DR risk).  After sharing with the Committee I create Jira tickets to track and then apply remediation timelines based on risk (High 30 days.....).  Once resolved I share with the Committee and everything is documented in the quarterly Committee meeting notes.                       

Content you might like

Does your company have a data recovery process in place?

Data & AnalyticsBusiness IntelligenceSecurity & GRC+1 more

Yes87%

No9%

Not sure2%


775 PARTICIPANTS
2.9k views

Confusion between strategic and operational risk management limits an organization's ability to manage them effectively.

Risk ManagementGovernance, Risk & ComplianceThird Party Risk Management (TPRM)

Strongly agree5%

Agree73%

Neutral17%

Disagree3%

Strongly disagree0%

Other (please specify)0%


367 PARTICIPANTS
1.4k views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
41k views131 Upvotes319 Comments

Does the risk of Ransomware and malware propagation bother you? Is IoT security a top of mind for you? To protect against many risks, we have witnessed success of micro-segmentation in the data center. Would you be willing to deploy similar solution for the campus? I am very curious to get your feedback?

Security & GRCThreat & Vulnerability Management
Read More Comments
2.8k views5 Upvotes5 Comments

Any recommendations on OT security product? I tried pushing Crowdstrike but it wasn't approved by OEMs. Other two are Claroty and Nozomi. Any feedback either on above two or any other as per your experience?

Security & GRCStrategy & Architecture
Read More Comments
1.8k views1 Upvote2 Comments