Building the Security Risk Management Team

Before starting the risk assessment process, do not overlook the need to clearly define roles within the Security Risk Management Team. Because the risk management scope includes the entire business, non-Information Security Group members may request to be part of the team. If this occurs, outline clear roles for each member and align with the roles and responsibilities defined in the overall risk management program above. Investing in role definition early reduces confusion and assists decision making throughout the process. All members on the team must understand that the Information Security Group owns the overall process. Ownership is important to define because Information Security is the only group that is a key stakeholder in every stage of the process, including executive reporting.

Security Risk Management Team Roles and Responsibilities

After assembling the Security Risk Management Team, it is important to create specific roles and to maintain them throughout the entire process. The primary roles of the Risk Assessment Facilitator and the Risk Assessment Note Taker are described below.

The Risk Assessment Facilitator must have extensive knowledge of the entire risk management process and a thorough understanding of the business, as well as an understanding of the technical security risks that underlie the business functions. He or she must be able to translate business scenarios into technical risks while conducting the risk discussions. As an example, the Risk Assessment Facilitator needs to understand both the technical threats to and vulnerabilities of mobile workers and the business value of such workers. For example, customer payments will not be processed if a mobile worker cannot access the corporate network. The Risk Assessment Facilitator must understand scenarios such as these and be able to identify the technical risks and potential control requirements, such as mobile device configuration and authentication requirements. If possible, select a Risk Assessment Facilitator who has performed risk assessments in the past and who understands the overall priorities of the business.

If a facilitator with risk assessment experience is unavailable, enlist the assistance of a qualified partner or consultant. However, be sure to include an Information Security Group member who understands the business and the stakeholders involved.

Note   Outsourcing the risk assessment facilitation role may be attractive, but beware of losing the stakeholder relationship, business, and security knowledge when the consultants leave. Do not underestimate the value that a risk management process brings to the stakeholders as well as the Information Security Group.

The Risk Assessment Note Taker is responsible for capturing notes and documenting the planning and data gathering activities. This responsibility may seem too informal for role definition at this stage; however, solid note taking skills pay off in the prioritization and decision support processes later in the process. One of the most important aspects of managing risk is communicating risk in terms that stakeholders understand and can apply to their business. A thorough note taker makes this process easier by providing written documentation when needed.

Summary

Chapters 1-3 provide an overview of risk management and define the goals and approach to begin building the foundation for a successful implementation of the Microsoft security risk management process. The next chapter covers the first phase, Assessing Risk, in detail. Subsequent chapters follow each phase of the risk management process, Conducting Decision Support, Implementing Controls, and Measuring Program Effectiveness.