Step 1: Risk Assessment
Information security risk is created by the confluence of three major drivers: assets, vulnerabilities, and threats. In order to understand information security risk, it is necessary to understand the current and future state of each of these elements. In order to minimize risk, it is necessary to manage assets, vulnerabilities, and threats through formalized programs.
Step 2: Loss Prevention
- Shared governance creates policies.
- Standards articulate the requirements to achieve the object
- Guidelines provide technical and procedural details that are too specific or change too frequently to be included in the standards.
Step 3: Loss Control
Loss Control is accomplished through initiatives in the following areas:
Step 4: Loss Financing
Loss Financing transfers risks to third parties through:
Step 5: Evaluation
Evaluation is provided through:
- An exception process to manage Residual Risk
- Metrics and reporting
- Audit support