Professional Documents
Culture Documents
Addressing Risk Using The New Enterprise Security Risk Management Cycle Joa Eng 0920
Addressing Risk Using The New Enterprise Security Risk Management Cycle Joa Eng 0920
Identify and
Prioritize Content
Assets
Mission
and Vision
Analysis
Monitoring Assessment Identify and
Continuous Core
Improvement Prioritize Values
Risk
Mitigation
Operating
Environment
Mitigate Stakeholders
Prioritized
Risk
Foundation
Source: ASIS International, Enterprise Security Risk Management Guideline, 2019. Used with permission.
Harisaiprasad Kumaragunta, CISA, APP, ISO 22301 LI, ISO 27001 LA, ISO 9001 LA, Six Sigma Green Belt
Is an associate consultant with Mahindra Special Services Group with more than 12 years of experience in the industry. He is the
ISACA® New Delhi (India) Chapter leader and social media chair. He is also a topic leader for the ISACA Certified Information
Systems Auditor® (CISA®) online forum. He is a frequent contributor to blogs and has published articles related to the information
security domain in ISACA Now , COBIT Focus and the ISACA® Journal. He conducts user awareness training, internal auditor training,
International Organization for Standardization ISO 27001 audits, regulatory audits, third-party audits, internal audits, IT audits, risk
assessments and implements ISO 27001, among other tasks. He can be contacted at harisaiprasad@gmail.com.
“
Sharing of security information with asset owners
and stakeholders forms an important part of
ESRM HELPS AN the continuous improvement process. This helps
security professions send and receive information
ENTERPRISE IMPROVE THE from asset owners, which contributes to
”
MATURITY OF ITS SECURITY continuous improvement.
PROCESS.
5 Optimized: It is a characteristic of processes at this level that the focus is on continually improving process
performance through both incremental and innovative technological changes/improvements.
4 Managed: It is characteristic of processes at this level that, using process metrics, management can
effectively control the as-is process (e.g., for software development). In particular, management can
identify ways to adjust and adapt the process to particular projects without measurable losses of quality or
deviations from specifications. Process capability is established from this level.
3 Defined: It is characteristic of processes at this level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over time. These standard processes are
in place (i.e., they are the as-is processes) and used to establish consistency of process performance across
the organization.
2 Repeatable: It is characteristic of processes at this level that some processes are repeatable, possibly with
consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that
existing processes are maintained during times of stress.
1 Ad Hoc: It is characteristic of processes at this level that they are (typically) undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This
provides a chaotic or unstable environment for the processes.
0 Non-Existent/Not Wanted: The requirement is non-existent in the environment and/or not desired.
Figure 4—People, Process and Governance Average Score and Recommended Score
Requirements Current Score Average Recommended
Program strategy 3 3
Program governance 3 3
Understanding and awareness 4 3
Program implementation and application 2 3
Program management and advancement 3 3
Alignment of security risk mitigation activity 3 3
Enterprise Score: 3 “defined”