Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities related to organizational objectives. ESRM typically involves identifying events or circumstances relevant to the organization's objectives, assessing them, determining a response strategy, and monitoring progress.
Enterprise Security Risk Assessment (ESRA) differs from conventional security risk assessment, not only in scale but also inits nature. A conventional security risk assessment (SRA) seeks to analyze the risks of a business unit or subset of the enterprise(e.g. a particular facility, project, or system).
By contrast, an ESRA has little interest in the specifics of each business unit unless they demonstrate thematic issues that are evident across sections of the enterprise.
The focus of an ESRA is on the security of the overall enterprise. It may also seek to establish measures such as security standards, systems, and protocols so that individual units all face similar levels of risks.You cannot approach and ESRA as an organization that owns or operates (say) 100 offices, 50 servers, and 3 data centers in 20 countries. The concept requires that the security risk analyst(s) must focus on the totality of an integrated enterprise. An enterprise that, operates a single business across many facilities, operates a cloud server, and happens to have a presence in 20 nations.There should be no requirement to visit each of the countries or even a majority of the locations and systems to conduct an ESRA and develop an enterprise security treatment plan. It is essential however, to understand and evaluate the threats and risks across each level or category of business units.
A scoping statement for an ESRA might include:
Enterprise-wide strategic security Risks( Physical, Personnel, Technology, andInformation).
Business activities and corporate operations globally.
Review of enterprise-wide strategic security measures currently in place for the protection of personnel, assets, and information both at our facilities and while in transit.
Review and develop security standards and postures across a range of threat levels such that the enterprise can respond with established protocols to any variation in threat levels.
IT systems as well as interfaces with key external systems.
Physical protection of server rooms and systems.
Review of existing security policies, procedures, documents, incident reports, manuals, etc.
Identification of risks associated with key assets, activities, and operations of the organization.
Identification and assessment of key vulnerabilities and threats. Qualitative and quantitative assessment of security risks currently facing the enterprise.
Recommend treatment plans to manage or mitigate the risk to an acceptable residual level.