There are countless lessons we will learn from the ongoing COVID-19 pandemic, the value of a risk management program being just one.
To have an effective risk management program, security and compliance teams should continuously analyze the people, processes and technologies identified as mission- and business-essential during a crisis; and ensure this information is reflected in each system security plan. It is also essential to expand or create an integrated risk management program that is separate from (but complementary to) a compliance program, and adaptable to changes in circumstance.
Over the past several years, the security and compliance industry has stressed the importance of communication up and down the chain. Common forms of information delivery up the chain are scorecards, dashboards and other graphics. These hypnotic visuals attempt to translate the relationship between system vulnerabilities and business objectives, but rarely hit the intended mark. In the midst of a global pandemic, everyone in IT is awake and talking about the new challenges to our security postures. It has never been more important to evaluate our systems and the relationships they have to our lines of business.
Don’t get me wrong, compliance scorecards are developed with the best of intention. However, in times like this, we realize that the red, amber and green on our scorecard contributes little to the system’s ability to support continuity of operations in times of crisis. What do I mean by this? Ask any information system security officer supporting an assessment and authorization, or A&A, effort what their system categorization is, and they will confidently tell you. Ask them to describe (without using low, moderate or high) what impact the system has on the organization, and you will likely get a rehash of the system’s descriptio ..
Support the originator by clicking the read the rest link below.
