Addressing the Highest Risks

cybersecurity risk management smallbusiness Aug 22, 2022

As we conclude the risk assessment and governance process, the last part will deal with the organization's highest risks, not the highest vulnerability, but rather the highest risks. This work could take the form of desktop exercises or brainstorming sessions. NIST cover this effort in the subcategory ID.RA-6 “Risk responses are identified and prioritized.”

The process NIST lays out are:

  1. Implement a process to ensure the security program's plan of action and milestones (POA&M) are developed and maintained and that remediation plans are appropriate for the type of risk.
  2. Review the POA&M for consistency with the organization’s risk management strategy.

Make sure each action in this process has an owner assigned, and each action is viewed from an organizational perspective. When running scenario-based testing, make sure that representatives from each affected business area are involved in the exercise to ensure a common understanding.


*** FREE GUIDE ***



Author: Dr. Bill Souza | Aug 22, 2022 


Want Helpful Cyber Risk Tips Every Week?


You're safe with me. I'll never spam you or sell your contact info.