« Qualitative Risk Analysis
The Fifth Dimension of Program and Project Management »

Policies, Procedures, and Risk Management

March 31, 2009 | Author: PM Hut | Filed under: Risk Management

Policies, Procedures, and Risk Management
By Bernie L. Dixon

Risk management is nothing more than the technical and physical implementation of the written policies.

Policies are passive – they enforce nothing as they are just words on paper; however, they set the corporate culture towards security for the organization. In other words, what the owners expect in regards to security requirements. They cover many topics such as configuration management, change control, business continuity and disaster recovery, network security, human resources, acceptable use, and so on.

However, they typically do not cover the step-by-step procedures on how to make it all happen. Custodians take the policies and begin to translate them into procedures, or the “how.” Risk management will bridge the two processes together by identifying:

  • What the organization has that is worth protecting (assets),
  • What could do harm to those assets (threats),
  • What weaknesses (vulnerabilities) currently exist that would allow the harm to materialize, and
  • How probable would it be that the threats would exploit the weaknesses to cause risk to the assets.

Once all this is understood, we are ready to make recommendations as to what safeguards or countermeasures need to be put into place to reduce the risk to an acceptable level for the organization. This is where technology will finally make its appearance – it is where we will match the technology to all these processes to design the most effective and efficient security architecture.

Bernie L. Dixon is a Certified Information Systems Security Professional (CISSP) and System Security Certified Practitioner (SSCP). He has over 30 years experience in the field of computer and network security, including cryptography. Bernie served 25 years in the United States Air Force, where his responsibilities included analyzing and resolving communications and computer security-related problems. Upon retirement, Bernie became the Manager of Information Protection for AT&T Technical Services in San Antonio, TX, where he was responsible for communications-computer security. After 3 years, he served as the Director of System Security for Access Research Corporation. Bernie started his own company in November 1997 and has done network security consulting for companies like TRW, Unisys, Ascend (now Lucent), Department of the Treasury, Department of the Air Force, and NSA. He wrote two security courses for Global Knowledge titled Designing Security Architectures and Check Point NGX CCSA/CCSE.

This article was originally published in Global Knowledge’s Business Brief e-newsletter. Global Knowledge delivers comprehensive hands-on project management, business process, and professional skills training. Visit our online Knowledge Center at www.globalknowledge.com/business for free white papers, webinars, and more.

© Copyright 2009, Global Knowledge. All rights reserved.

Share this article:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • blogmarks
  • LinkedIn
  • Reddit
  • StumbleUpon
  • TwitThis
  • Yahoo! Buzz

Related Articles

This entry was posted on Tuesday, March 31st, 2009 and is filed under Risk Management. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet.

feel free to leave a comment

Comment Guidelines: Basic XHTML is allowed (a href, strong, em, code). All line breaks and paragraphs are automatically generated. Off-topic or inappropriate comments will be edited or deleted. Email addresses will never be published. Keep it PG-13 people!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

All fields marked with " * " are required.

Project Management Categories