Addressing the Highest RisksAug 22, 2022
As we conclude the risk assessment and governance process, the last part will deal with the organization's highest risks, not the highest vulnerability, but rather the highest risks. This work could take the form of desktop exercises or brainstorming sessions. NIST cover this effort in the subcategory ID.RA-6 “Risk responses are identified and prioritized.”
The process NIST lays out are:
- Implement a process to ensure the security program's plan of action and milestones (POA&M) are developed and maintained and that remediation plans are appropriate for the type of risk.
- Review the POA&M for consistency with the organization’s risk management strategy.
Make sure each action in this process has an owner assigned, and each action is viewed from an organizational perspective. When running scenario-based testing, make sure that representatives from each affected business area are involved in the exercise to ensure a common understanding.
*** FREE GUIDE ***
Author: Dr. Bill Souza | Aug 22, 2022