One element often missing or inadequate is ensuring and assessing the effectiveness of security risk management and security assessments.
The following are examples of some indicators which should be evident in a security risk assessment or management system.
Accountability-risk acceptance. The individual who accepted the risk is clearly identified.
Accountability-risk treatment. The individual who is responsible for treating the risk is clearly identified.
Existing controls. Explicitly identified and linked to risks.
Scope, Context, and Criteria are identified.
Consequences and likelihood are assessed, and supporting evidence is referenced.
Methodology of risk and threat assessments are documented, use (or adapt) a robust and recognized framework or methodology.
Threat and risk assessments follow and comply with the identified methodology. Eg: SRMBOK Methodology, ISO31000 RiskManagement Standard
Human Factors are considered and documented.
Risk assessment tools are correctly applied and minimize biases or subjectivity as much as possible.
Risk assessment tools are appropriate for the scale of the activity.
Risk statements meet the criteria outlined in ‘RiskStatements.’
Guidance For Assessment Of SRM/A Quality Indicators
The following 10-point scoring method is designed to provide guidance when assessing the quality of security risk assessments and management systems.
No intention to implement the requirements of the indicator.
Some awareness and intention to implement. May be limited or inadequate action to implement at this stage.
Early progress toward implementation. Evidence of management commitment of resources to the requirements of the indicator.
Preparation for consistent implementation is well underway. Early drafts of documents supporting the indicator may be available.
The basic requirements of the indicator are almost in place. Documents may be in draft form. Planning may have occurred, but plans are not fully implemented. Implementation of the basic requirements of the indicator is imminent.
Satisfies minimum requirements of the indicator. Basic documentation can be produced if specified in the indicator. The system may be relatively new, but there is evidence that requirements are applied within the organization. Compliance with minimum standards and/or relevant legislation.
Basic documentation supports the requirements of the indicator even though it may not be specified in the indicator itself. Continuous improvement processes are developing and regularly demonstrated in documentary form. Monitoring procedures in place as part of continuous improvement.
Requirements of the indicator have been in place long enough to allow evaluation and review. Maintaining more than the minimum requirements but room for improvement. Strong supporting documentation. Ongoing continuous improvement.
Sustained performance in parts of the organization where the requirements of the indicator apply. Some minor problems may occur from time to time, but these are rare. Continuous Improvement is evident.
Continuous Improvement processes ensure sustained performance. It could be used as a benchmark. Excellent supporting documentation that is updated as part of continuous improvement. Consistent application of the requirements of the indicator over time. Based on current industry practices, the assessors cannot identify the scope for improvement.