As most of us in the information security profession know, managing risk is not a simple or straight forward task. There are many moving parts and
dynamics within a security program that must be accounted for and addressed, even within relatively small organizations and organizations with a strong security culture. The never ending technical and human issues require constant attention by people in all areas, and at all levels of the organization.
The HealthGuard Functional Risk Management Model for Information Security (referred to as the Model) is intended to help organizations get a clear understanding of the key interactions and interdependencies that should exist within their information security risk management program. It should be adapted to reflect your organizational structure and terminology. One word of caution: when customizing the model for use in your organization, use care when deleting/eliminating any of the elements, or functional areas. We have taken care not to add any “fluff” or extra pieces to this puzzle. All the pieces you see are real and they belong there.
Multi-Purpose
The Model should be used by multiple levels in your organization as a discussion starter and visual aid that will help get stakeholders on the same page.
Executives and board committee members – the Model provides a governance tool that produces a 30,000 foot view of the interworkings of the organization’s information security risk management program.
CIOs – the Model provides a management tool to help CIOs explain the vision or “big picture” of the risk management program to staff and internal-business partners.
Security Managers – the Model can help drive conversation(s) with senior management and other functional areas in the organization. It can also serve as an assessment/inventory tool to help identify areas that need attention.
Communication
The Model indicates areas where there should be open lines of communication and collaboration between departments and operational areas (e.g. risk management, information security, IT, compliance, etc). In organizations where departmental “silos” exist, this will likely take time and conscious effort by individuals, as well as continuous “care and feeding” by the organization’s leadership.
Thought Starters
Here are a few questions executives and organizational leaders should consider:
- Do our leaders and managers have adequate visibility into the organization’s information security related risk?
- Do our leaders and managers have the risk related information necessary to make well informed decisions?
- Are our information security policies and related controls aligned with the business requirements, priorities and risk tolerance level?
What the Model is Not
The Model is not intended to replace other risk management methodologies or frameworks that you may be using. It is only intended to provide another perspective for those tools, thereby augmenting them.
Future
In future posts, we will be discussing specific and practical applications of the Model as well as the functional areas and elements within the Model. Until then, feel free to take and use the Model (see license information below) within your organization. I also welcome comments and feedback on the Model, as we will be continuously refining and improving it based on real-world learnings.
Download a PDF version of the diagram here.
HealthGuard Functional Risk Management Model for Information Security by Apolonio R. Garcia III is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. If you would like permission to modify/customize the model for your organization, email your request to author Apolonio Garcia (agarcia@hgitsecurity.com).