What is Risk Management?
Risk Management is a process where a business determines security priorities and makes security
decisions in line with the business risk appetite." Risk management sees security as central to the
business, not just a subset of "IT."
Risk Management allows businesses to allocate scarce resources to protect their most critical assets and
systems. This allows for greater efficiency and effectiveness in the security program. Consultation with
organizational leadership is necessary, both to identify the risk appetite and to handle risks which
cannot be adequately reduced.
Select Risk management methodologies:
GDPR: General Data Protection Regulation
HIPAA: Health Insurance Portability and Accountability Act
PCI-DSS: Payment Card Industry Data Security Standards
NIST: National Institute of Standards and Technology, several methodologies, including SP 800-30 Guide
of Conducting Risk Assessments and SP 800-37 Guide for Applying Risk Treatment Methods
COBIT: Control Objectives for Information and Related Technologies (ISACA)
Other methodologies exist such as: SOX (Sarbanes Oxley Act),
FISMA (Federal Information Security Management Act), GXP (Good Practice Assessment), ISO/IEC 27005,
ISO/IEC 27002, ISO/IEC 27001, and HITRUST