Organizational risk management programs should clearly defined roles and responsibilities and associated accountabilities for identifying, evaluating, documenting, remediating and monitoring organizational information security risk. An effective and efficient risk management program enables leadership across the organization adopt necessary risk response measures to adequately protect their business functions and prevent intentional or unintentional security incidents.
Understanding and addressing risk is a strategic capability and an enabler of missions and business functions across organizations. Effectively managing information security risk organization-wide requires the following key elements:
- Assignment of risk management responsibilities to senior leaders/executives;
- Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk;
- Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations, individuals and assets arising from the operation and use of information systems;
- Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and
- Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs.