Chapter 3: Risk Management: Assessing Risk

Stakeholders

People or organizations that have a vested interest in some aspect of an organization’s planning, operation, or outcomes.

Strategic Planning

The process of defining the organization’s long-term direction and determining the resources needed to achieve it.

Champion

A high-level executive who provides influence, funding, and support for a cybersecurity initiative.

Methodology

A formal, structured sequence of procedures for solving a problem and ensuring a consistent, rigorous process.

Systems Development Life Cycle (SDLC)

A methodology for designing and implementing systems through investigation, analysis, design, implementation, and maintenance phases.

Controls and Safeguards

Security mechanisms, policies, or procedures that counter attacks, reduce risk, and improve protection.

Corporate Governance

The framework of rules, practices, and processes by which an organization is directed and controlled.

Cybersecurity Governance

The integration of cybersecurity strategy with overall corporate governance to ensure accountability, risk management, and alignment with business goals.

Corporate Governance Task Force (CGTF) Framework

A 2004 initiative that established core activities for cybersecurity governance—annual evaluations, risk assessments, policies, awareness, testing, and continuous improvement.

IDEAL Model

A five-phase process (Initiating, Diagnosing, Establishing, Acting, Learning) used for continuous improvement in governance and security programs.

ISO/IEC 27014 (2020) Governance of Information Security

An ISO standard that defines governance objectives—integrated information security, risk-based decisions, conformance, culture, and performance monitoring.

ISO 27014 Governance Processes

Four core processes—Evaluate, Direct, Monitor, and Communicate—that guide executive oversight of cybersecurity.

Governance, Risk Management, and Compliance (GRC)

The integrated approach to aligning organizational strategy, managing risks, and ensuring regulatory compliance.

GRC² (GRC Squared) Model

A Verizon model coupling “Goals, Requirements, and Constraints” with “Governance, Risk, and Compliance” to enhance decision-making and performance.

Governance in GRC²

Defines how leadership sets direction, monitors performance, and ensures transparency for better control and accountability.

Risk Management in GRC²

Focuses on identifying, analyzing, and mitigating risks that threaten strategic objectives.

Compliance in GRC²

Ensures the organization meets internal policies and external regulations through consistent measurement and documentation.

Security Convergence

The integration or coordination of physical security and cybersecurity functions to reduce costs and align risk management with business goals.

Enterprise Risk Management (ERM)

A framework that aligns security activities with business objectives and supports collaboration across departments.

Risk Council Approach

A cross-functional method for policy and decision-making on organizational risk management and convergence.

Unified Risk Oversight

A model that brings together operations, HR, legal, IT, finance, and security leaders to coordinate risk mitigation enterprise-wide.

Organizational Culture

The largest factor in determining whether security convergence or integration is successful.

Chief Information Officer (CIO)

The executive who aligns IT strategy with organizational goals and ensures broad support for security initiatives.

Chief Security Officer (CSO)

The executive responsible for developing, implementing, and maintaining the organization’s cybersecurity plan and risk management efforts.

Corporate Security Program

A department that protects employees, assets, and information from risks such as theft, violence, regulatory non-compliance, and data breaches.

Security Executive Council (SEC)

An advisory organization providing research-based guidance for corporate security risk mitigation and program evaluation.

Elements of Corporate Security Program

Key components include risk assessment, strategic planning, training, communication, ethics, resiliency, supply-chain security, and continuous learning.

Critical Success Factors for Security Implementation

Readiness, leadership capability, department maturity, corporate culture, and regulatory requirements.

Top-Down Approach

Cybersecurity implementation driven by executive leadership with clear goals, funding, policies, and organization-wide participation.

Bottom-Up Approach

Cybersecurity efforts originating from administrators or technicians that often lack coordination and executive support.

Project Champion

A senior executive who advocates for a security initiative and secures resources and organizational buy-in.

Critical Success Factors for Cybersecurity Workshops

Use skilled facilitators, secure executive sponsorship, involve key stakeholders, set clear goals, define deliverables, and avoid technical jargon.

Continuous Improvement Program (CIP)

A process of periodic review and refinement of the cybersecurity program to maintain effectiveness against emerging threats.

Waterfall Model

A linear SDLC method where each phase flows into the next with periodic reviews and limited rework.

Investigation Phase

Initiated by management to set objectives, scope, budget, and team; includes policy development and feasibility analysis.

Analysis Phase

Examines existing policies, controls, and threats; includes risk identification and assessment to prioritize information assets.

Design Phase

Divided into logical and physical design stages to create the cybersecurity blueprint, policies, controls, and contingency plans.

Managerial Controls

Strategic and administrative controls designed to define scope, risk management, and policy direction.

Operational Controls

Processes that govern daily security functions such as incident response, training, physical security, and system maintenance.

Technical Controls

Technology-based mechanisms such as access controls, authentication, authorization, and accountability.

Contingency Planning (CP)

Comprehensive planning for incident response, disaster recovery, and business continuity to maintain operations during disruption.

Incident Response (IR)

The process for identifying, classifying, responding to, and recovering from a security incident.

Disaster Recovery (DR)

Procedures for restoring IT systems and services after a catastrophic event.

Business Continuity (BC)

Processes to ensure critical business functions continue during and after a disaster.

Physical Security

Protective measures for people, hardware, facilities, and media to prevent unauthorized physical access to systems.

Implementation Phase

The deployment and testing of cybersecurity solutions, training programs, and project plans under executive approval.

Project Management

The process of planning, supervising, and closing projects to ensure cybersecurity initiatives meet objectives on time and budget.

Maintenance and Change Phase

Ongoing monitoring, testing, updating, and refinement of the security program to adapt to new threats and technologies.

Data Trustee

A senior executive responsible for data governance within a business unit.

Data Owner

An individual accountable for a specific set of information and its protection and use.

Data Custodian

Personnel who store, maintain, and protect information on behalf of the data owner.

Data User

Any internal or external individual who interacts with organizational information to perform work tasks.

Chief Security Officer (CSO) Responsibilities

Develops policies, conducts risk assessments, creates plans and budgets, and promotes security culture organization-wide.

Chief Information Officer (CIO) Responsibilities

Integrates IT and cybersecurity strategies, allocates resources, and ensures departmental alignment with organizational goals.

Organizational Readiness

Understanding how security supports business goals and what level of protection the organization needs.

Security Leadership Capability

The extent to which security leaders can inspire vision, strategize effectively, and guide program maturity.

Corporate Culture

The shared values and attitudes that determine how security initiatives are accepted and sustained.

Regulatory Requirements

Industry-specific laws and standards that govern data protection and security compliance.

Continuous Learning

The practice of evaluating incidents and adapting the security program through after-action reviews and feedback.