As an IT governance practitioner, a common question from CIO and CISO clients is which comes first, Risk Analysis or Security Policy? This is like a chicken and egg question really, and here is why.
Risk Analysis is the process of identifying, quantifying (qualitatively or quantitatively) and ranking the exposures an organization faces in the deployment of assets towards attain it's goals. Sometimes called Risk Assessment, Risk Analysis takes into account various aspects of the organization's operating environment -- including compliance environment, infrastructure, people and other resources, as well as the threat environment to determine an organization's risk exposure.
One outcome of Risk Analysis is Risk Mitigation and one of the tools for effective Risk Mitigation is the development, deployment and enforcement of policies. So in this analysis, Risk could be said to drive policy.
Policy, in the Cyber Security parlance are the set of rules or parameters that guide the routine operation and consumption of Cyber resources and infrastructure. IT policies are (or at least should be) based on the operational environment of the organization. In some cases, the framework identified within the IT policy become the backbone of an IT Risk Assessment. It is easy to see the confusion.
Indeed, the confusion deepens in light of the fact that more organizations have developed and deployed cyber security policies long before risk assessment became a regular IT term. Increasingly though, organizations are gearing toward a risk based IT security, and that in turn often mean letting the outcome of Risk Assessment drive the construction of Cyber Security policies.
As the concepts of IT Risk Management, and IT governance by and large become integral part of organizational operational frameworks, IT policies, including IT Security policies will be driven more as holistic part of IT Governance, and work more in-tandem with IT Risk Management, both as a complement, and a feeder of an beneficiary from the Risk Assessment process.
It is a great time to be a an IT governance practitioner, albeit a challenging time for IT operational professionals in general
Risk Analysis is the process of identifying, quantifying (qualitatively or quantitatively) and ranking the exposures an organization faces in the deployment of assets towards attain it's goals. Sometimes called Risk Assessment, Risk Analysis takes into account various aspects of the organization's operating environment -- including compliance environment, infrastructure, people and other resources, as well as the threat environment to determine an organization's risk exposure.
One outcome of Risk Analysis is Risk Mitigation and one of the tools for effective Risk Mitigation is the development, deployment and enforcement of policies. So in this analysis, Risk could be said to drive policy.
Policy, in the Cyber Security parlance are the set of rules or parameters that guide the routine operation and consumption of Cyber resources and infrastructure. IT policies are (or at least should be) based on the operational environment of the organization. In some cases, the framework identified within the IT policy become the backbone of an IT Risk Assessment. It is easy to see the confusion.
Indeed, the confusion deepens in light of the fact that more organizations have developed and deployed cyber security policies long before risk assessment became a regular IT term. Increasingly though, organizations are gearing toward a risk based IT security, and that in turn often mean letting the outcome of Risk Assessment drive the construction of Cyber Security policies.
As the concepts of IT Risk Management, and IT governance by and large become integral part of organizational operational frameworks, IT policies, including IT Security policies will be driven more as holistic part of IT Governance, and work more in-tandem with IT Risk Management, both as a complement, and a feeder of an beneficiary from the Risk Assessment process.
It is a great time to be a an IT governance practitioner, albeit a challenging time for IT operational professionals in general
No comments:
Post a Comment