Risk Management Procedure
In most organizations, IT systems are gradually expanded and updated. Many have business applications updated with newer versions or replaced completely. To add to that, changes in the members of the business occur, either with a separation or an addition to staff. With these changes come new risks and risks that were previously mitigated may again become a concern. Thus, a risk management procedure must be developed and regularly consulted.
Risk Management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. (NIST, n.d.) What an organization defines as "acceptable" is influenced by the type of data stored in its network of workstations and servers, the trust held with employees to use that data in an acceptable manner, and availability of the data so as to continue business operations during an unforeseen event or disaster.
A data breach is any form of attack where data is taken or destroyed. The many credit card hacks over the last few years are examples of data breaches.
How does an organization prepare for every type of disaster scenario - power outage, an intentional or unintentional data breach risk, fire in the server room, etc.? While it is not possible to build a defense against every type of scenario, certain scenarios have higher probabilities of occurring than others. With a risk management procedure, each organization can spend its time and efforts in understanding and mitigating risks.
A security policy is a written document that defines how an organization will protect its IT infrastructure. Generally, policies are put in place to direct employees towards actions that are authorized by the organization. Such pre-planned directives reduce the number of unexpected outcomes, and thus fall under "Risk Management Procedure".
The acceptable use policy defines what is and what is not acceptable to do on an organization's computer. Generally, at the date of hire every employee is required to read and sign such a policy before they can officially start their employment. The policy may indicate such things as the following:
- Equipment and any proprietary information stored on the organization's computers are the property of the organization
- Users will only access information they are authorized to access, and not attempt to circumvent established restrictions
- No one may use an organization's computer for anything that is illegal
Additional Cybersecurity & IT Policies
In reality, each organization is free to have as many policies as it needs in order to ensure that business interests are protected, and that each employee is meeting an agreed-upon standard of conducting themselves. For example, other relevant policies for a risk management procedure may include:
- Email Policy - Defines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system.
- Ethics Policy - Defines the guidelines and expectations of individuals within the company to demonstrate fair business practices and encourage a culture of openness and trust.
- Password/Passphrase Policy - Defines the guidelines and best practices for the creation of strong passwords.
- Remote Access Policy - Defines standards for connecting to the organization's network from any host or network outside of the organization.
The SANS Institute provides sample security policies that can be freely used in your risk management procedure as well: https://www.sans.org/security-resources/policies
NIST. (n.d.). Risk Management Guide for Information Technology Systems. Retrieved from Computer Security Research Center: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01