An enterprise has to know what risks it is facing. ISO-Metrics is implementing an information security risk management plan which is crucial for cybersecurity readiness.

Risk management is an activity directed towards assessment, mitigation, and monitoring of risks to an organization. Information security risk management is a major subset of the enterprise risk management process, which includes both the assessment of information security risks to the institution as well as the determination of appropriate management actions and established priorities for managing and implementing controls to protect against those risks.

The risk management process involves setting institutional priorities and making key decisions in regards to what is sometimes called the institution's "appetite for risk". Primary direction in making decisions about risk acceptance needs to come from institutional leadership. Information security organizations may manage the risk management program but it's necessary to consult with institutional leadership about handling risks that cannot effectively be reduced or mitigated. The Risk Management Framework provides useful guidance to assist with developing these processes.

This process can be broadly divided into two components:

• Risk assessment
• Risk treatment

Risk assessment identifies, quantifies, and prioritizes risks against both criteria for risk acceptance and objectives relevant to the organization. The assessment results guide the determination of appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The assessment should include both a systematic approach to estimating the magnitude of risks and a process for comparing estimated risks against risk criteria to determine the significance of the risks.

The scope of a risk assessment can be either the whole organization, parts of the organization, an individual information system, or even specific system components or services. Performing a risk assessment in areas that include technology infrastructure also includes performing vulnerability assessments to help quantify risks. This process of assessing risks and vulnerabilities will need to be performed at recurring intervals, especially if an incremental approach is selected, to ensure that comprehensive and effective results are obtained. This will also ensure that constantly evolving changes in security requirements and/or significant changes are assessed. For example, IT will be implementing new products or services each year and new or additional risks may be introduced due to vulnerabilities that can be exploited.

Once a risk assessment is completed, risk treatment is the next step in the process. For each of the risks identified during a risk assessment, a risk treatment decision needs to be made. Possible options for risk treatment include:

• Knowingly and objectively accepting risks, providing they clearly satisfy the organizations policy and criteria for risk acceptance
• Applying appropriate controls to reduce the risks
• Avoiding risks by not allowing actions that would cause the risks to occur
• Transferring the associated risks to other parties, e.g. insurers or suppliers.

For each of the risks where the treatment decision is to apply some level of risk mitigation, appropriate controls may be selected from control master which may be from Annexure A or elsewhere (SANS Top Twenty Critical Security Controls, for example). Controls should be selected to ensure that risks are reduced to an acceptable level. Take into account applicable federal, state, and local statutes as well as other binding regulations. Additionally, consider institutional goals and objectives, operational requirements and constraints, the cost of implementing effective controls relative to potential harm of not implementing them, and the costs likely to result from one or more security failures.

It should be kept in mind that even after mitigating all current risks, achieving a 'state of complete security' is unlikely. Making continuous improvements through reviewing all existing risks will make a very positive impact.