Corporate risk analysis and management strategies

Whilst many organisations consider they assess security risks in some way, and fair numbers conduct detailed risk analysis and management reviews, very few so far have stood back and questioned “are we spending time and money on the right systems?” and/or “are we focusing on the systems of high risk and providing low risk systems with a level of attention appropriate to low risk and only code of good practice security?”. What is needed is a corporate strategy appropriate to the organisation which enables risks to be addressed in the most cost and time effective manner. It may involve approaches to quickly categorise systems say as high, medium or low risk, and then identify the security countermeasures for the low and medium risk systems without the need for detailed risk analysis, and for high risk systems enable detailed risk analysis and management, and the management of security change over time, in the most streamlined way. This paper covers: the background to the urgent need for corporate risk analysis and management strategies; the possible options for strategies; recommendations of the preferred strategy for most environments; and the key components necessary to facilitate a good strategy