GRC 10

Risk Management Framework

Name

Institution Affiliations

Date

Part One

My chosen type of risk management framework is risk mitigation and governance. The ultimate reason for my choosing of this kind of risk management framework is that the business organization may opt to select the potential risks to eliminate as well as mitigate in their risk assessment strategy (Philip, 2015). The risk mitigation may be attained via the outright sale of assets or even the liabilities, buying insurance as well as hedging with derivatives or even the diversification in the organization.

Forthright, risk governance ensures that every business organization’s employee executively perform their assigned roles and responsibilities. This is adherebly in accordance with the risk management framework. It necessarily define the responsibilities of each employee in the particular business organization. It also segregate these responsibilities as well as executing the assignment of authority to the personnel, committee and the board of directors for approval of core risk, risk limit, exception to the limit as well as risk report. It also ensures that the responsibilities are also over checked for general oversight by the top management in the respective organization.

ISO 27002 refers to a set of data safety directions that aim at assisting a company in implementation, maintenance, and improvement of its information safety management. This framework is vital in identification of threats as far as data safety is concerned. It essentially helps in improving the information security management of its own.

It moreover facilitates numerous controls as well as controls mechanism designated in the implementation accompanied by the guided which is facilitated within the ISO 27001. The controls as well as controls mechanism in the ISO 27002 intend to significantly address specific issues that have been located in the formal risk assessment. The standards also facilitates a guidance to developing security standards as well as effective security management exercises. The charter which was published by the International Organization for Standardization is supplemented by the ISO 27001 (Robert & Susan, 2017). These two standards are mutually utilized together.

ISO 27001 is a specification for the framework of strategies and processes that are oriented towards all lawful, technical and physical controls included in the company’s data threat management procedures. It provides a scheme through which an info safety management system is developed, implemented, operated, monitored, reviewed, maintained and improved (Richard, 2015).

Part Two

Risk assessment is the mechanism executed prior to risk management methodology. It determines the degree of the potential threat as well as the threat which is associated with it in an information technology throughout the SDLC (Sari, 2014). There are nine steps while executing the risk assessment in a given organization. They include system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendation as well as result documentation.

System characterization majorly involves definition of the effort scope. Threat identification calls for locating the threat-sources, potential vulnerability as well as existing control. Vulnerability identification involves analyzing of the threats to information technology systems as well as vulnerability related to the system environment (Alexis, Alice & Gary, 2012). Control analysis entails analyzing control that has undergone implementation or prior to implementation.

Likelihood determination involves assessing factors such as threat-source motivation, the nature of the vulnerability as well as existence and effectiveness of the current control. Impact analysis entails measurement of the risk level in determining the negative effect it can result from a successful threat practice of a vulnerability (Alexis, Alice & Gary, 2012).

Risk determination involves assessing the risk level to the information technology system. Control recommendations involves recommending the controls which may mitigate or eliminate the located risk and appropriate to the respective organization. Results documentation calls for documenting the results in an official report or briefing immediately the risk assessment has been accomplished (Alexis, Alice & Gary, 2012).

References

Alexis Feringa, Alice Goguen & Gary Stonebumer (2012), Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, pp. 8-26.

Philip E. J. Green (2015), Enterprise Risk Management, A Common Framework for the Entire Organization, pp. 211-215.

Richard Kissel (2015), Small Business Information Security, The Fundamentals, pp. 123-129.

Robert McCrie & Susan Snedaker (2017), The Best Damn IT Security Management Book Period, pp. 680.

Sari Greene (2014), Security Program and Policies, Principles and Practices, pp. 101-105.