Managing Risk on Security-related Projects

All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.

Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.

However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledgerisk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.

The project risk management process is similar to the information security risk management and consists of four stages:

1. Identification – Log risk, agree and assign an owner

2. Analysis – An owner assesses risk and sets probability and impact

3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.

4. Response planning  – What response will be taken to manage the risk

It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log

risk

  • ID – assign a number (e.g. 1, 2, 3)
  • Risk– a specific definition of the risk event.
  • Consequence –what effect each entry has on the business/change programme/projects
  • Trigger – an event which signals the risk occurrence
  • Date Raised – when the risk was initially raised
  • Date Updated – when the risk was updated
  • Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
  • Due Date – when will the actions be completed
  • Probability (on a scale 1-5) – likelihood of the risk occurring
  • Impact (on a scale 1-5) – impact if the risk does occur
  • Risk Score – probability x Impact
  • Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
  • Current Status – indicate risk status (Red, Amber, Green, Closed)

During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.

Download a sample risk log

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s