Understanding and addressing risk is a strategic capability and an enabler of missions and business functions across organizations.
Effectively managing information security risk organization-wide requires the following key elements:
- Assignment of risk management responsibilities to senior leaders/executives;
- Ensure that senior leaders/executives recognize the importance of managing information security risk and establish appropriate governance structures for managing such risk;
- Ongoing recognition and understanding by senior leaders/executives of the information security risks to organizational operations, individuals and assets arising from the operation and use of information systems;
- Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization including guidance on how risk tolerance impacts ongoing decision-making activities; and
- Accountability by senior leaders/executives for their risk management decisions and for the implementation of effective, organization-wide risk management programs.