Aug 20, 2014 | Compliance, Information Security, Risk Management
Over the last few years I’ve seen many different types of Security Organizations. Some organizations centralize IT Security, some security shops have a hybrid security organization with some security technology under security other under IT Infrastructure, and...
Aug 20, 2014 | Compliance, Information Security, ISO27001, Risk Management
By Justin Fimlaid The new version of ISO27001 is coming out soon. This is the first revision of ISO27001:2005. This is exciting to me, and means a couple things: our industry is maturing and we have a new platform for growth and guidance. There’s some much...
Aug 20, 2014 | Information Security, Risk Management
I was reflecting back to my Sun Microsystems days this morning, for some very odd reason my mind went to a time when Greg Papadopoulos (our then Chief Technology Officer) spoke about his Red Shift Theory. The idea of Mr Papadopolous’ theory was that, and I quote...
Aug 20, 2014 | Audit, Information Security, Risk Management
You’ve identified your risk. You’ve taken a big picture view of risk in context of the enterprise. You’ve calculated the residual risk and communicated your findings to management. What’s next? Monitor your risks! Some risk you monitor for...
Aug 20, 2014 | Audit, Information Security, Risk Management
Integrated Risk Management Part 5: Aggregating risk data and reporting to Executive Management By this point you should see your risk program coming together. Last week we talked about risk response and key risk indicators. Risk response from the owner is important...
Aug 20, 2014 | Audit, Information Security, Risk Management
Risk Response is the activity following the Risk Assessment when a Risk has been identified. The response to the risk identified is usually completed by the management (or risk owner) of the business unit for which the risk was identified. The response should...
Aug 20, 2014 | Compliance, Information Security, Risk Management
There’s a sweet spot when it comes to managing enterprise risk. It’s the balance of risk assumed by the business and the business benefit. It’s a case of the three bears–too much risk and the business is not rewarded properly, too little risk...
Aug 20, 2014 | Compliance, Information Security, Risk Management
Integrated Risk Management Part 2: Applying Risk Management to the Company Strategy Risk should be considered at all times and at all levels of the organization. One area to start assessing risk is when a company’s strategy is being conceived. This...
Aug 20, 2014 | Compliance, Information Security, Risk Management
One of the preliminary things you want to do when establishing an Integrated Risk Management approach is establish your guidelines for how you identify, evaluate, and communicate risk. This establishes your common definition of risk measurement across your enterprise...
Aug 20, 2014 | Compliance, Information Security, Risk Management
I read an article today that really hit home and prompted to me hit the blog post. The article was in Security Week titled “How a CISO Can Be a Change Agent Within a Company” written by Mark Hatton.v It’s great article, and very true–Mark made...
