{"id":597,"date":"2016-07-21T08:16:53","date_gmt":"2016-07-21T08:16:53","guid":{"rendered":"http:\/\/it-toolkits.org\/blog\/?p=597"},"modified":"2016-07-28T14:29:56","modified_gmt":"2016-07-28T14:29:56","slug":"security-risk-management","status":"publish","type":"post","link":"https:\/\/it-toolkits.org\/Blog\/security-risk-management.html","title":{"rendered":"Security risk management"},"content":{"rendered":"<p><a href=\"http:\/\/it-toolkits.org\/\">Risk management<\/a> is the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise, monitor, and control the probability and\/or impact of unforeseen events.<\/p>\n<p><a href=\"http:\/\/it-toolkits.org\/\">Security risk management<\/a> is the specific culture, processes and structures that are directed towards maximising the benefits of security in support of business objectives.<\/p>\n<p>Adopting a risk based approach allows agencies to prioritise activities based on the likelihood and consequence of a risk being realised, to maximise business outcomes while minimising the occurrence or effects of events that may negatively affect outcomes.<\/p>\n<p><strong>Understanding <a href=\"http:\/\/it-toolkits.org\/\">security risk management<\/a><\/strong><\/p>\n<p>Non-corporate Commonwealth entities (agencies) need to develop a security risk management process to identify:<\/p>\n<ul>\n<li>specific risks to their people, information and assets<\/li>\n<li>the agency&#8217;s level of risk tolerance<\/li>\n<li>appropriate protections to reduce or remove risks<\/li>\n<li>untreatable residual risks (such as doing business on the internet) and accept responsibility for the risk.<\/li>\n<\/ul>\n<p>An appropriate level of security risk will vary from agency to agency but the process should be transparent and justifiable. Risk avoidance is not risk management.<\/p>\n<p>Regardless of an agency&#8217;s functions or security concerns, the central messages for <a href=\"http:\/\/it-toolkits.org\/\">managing security risks<\/a> are:<\/p>\n<ul>\n<li><a href=\"http:\/\/it-toolkits.org\/\">security risk management<\/a> is the business of each staff member including contractors in the agency<\/li>\n<li><a href=\"http:\/\/it-toolkits.org\/\">risk management<\/a>, including security risk management, is part of day-to-day business<\/li>\n<li>the process for managing security risk is logical and systematic, and should form part of the standard management process of the agency<\/li>\n<li>changes in the threat environment are to be continuously monitored and necessary adjustments made to maintain an acceptable level of risk and a balance between operational needs and security.<\/li>\n<\/ul>\n<p>Agencies are to:<\/p>\n<ul>\n<li>establish the scope of any security risk assessment and identify the people, information and assets to be safeguarded<\/li>\n<li>determine the threats to people, information and assets in Australia and abroad, and assess the likelihood and impact of a threat occurring<\/li>\n<li>assess the risk based on the adequacy of existing safeguards and vulnerabilities<\/li>\n<li>implement any supplementary protective security measures that will reduce the risk to an acceptable level.<\/li>\n<\/ul>\n<p><strong>Commonwealth risk management policy guide<\/strong><\/p>\n<p>The goal of the Commonwealth risk management policy is to embed <a href=\"http:\/\/it-toolkits.org\/\">risk management<\/a> as part of the culture of Commonwealth entities where the shared understanding of risk leads to well informed decision making.<\/p>\n<p>The Commonwealth risk management policy sets out nine elements which non-corporate Commonwealth entities must comply with in order to establish an appropriate system of risk oversight and management.<\/p>\n<p>The nine elements of the Commonwealth risk management policy are to:<\/p>\n<ol>\n<li>Establish a risk management policy.<\/li>\n<li>Establish a risk management framework.<\/li>\n<li>Define responsibility for managing risk.<\/li>\n<li>Embed systematic risk management into business processes.<\/li>\n<li>Develop a positive risk culture.<\/li>\n<li>Communicate and consult about risk.<\/li>\n<li>Understand and manage shared risk.<\/li>\n<li>Maintain risk management capability.<\/li>\n<li>Review and continuously improve the management of risk.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Risk management is the identification, assessment and prioritisation of risks followed by coordinated and economical application of resources to minimise,<\/p>\n","protected":false},"author":1,"featured_media":598,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it-risk-management"],"_links":{"self":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts\/597"}],"collection":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/comments?post=597"}],"version-history":[{"count":0,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/posts\/597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/media\/598"}],"wp:attachment":[{"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/media?parent=597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/categories?post=597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it-toolkits.org\/Blog\/wp-json\/wp\/v2\/tags?post=597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}