High level overview on key considerations for the development of an enterprise risk management program. Presented by Sentinel Resource Group for the ASIS International Silicon Valley Chapter - Jan 2017.
2. Enterprise Security Risk Management
Outline For Today’s
Discussion
❖ What is ESRM - Enterprise Security Risk
Management?
❖ Why do organizations pursue ESRM? -
Differentiating Desire from Mandate
❖ What are some of the critical success
factors in establishing an ESRM program?
3.
4. ASIS International - CSO Roundtable White Paper
Enterprise Security Risk Management
- A Working Definition
“ESRM is a management process used to effectively manage security risks, both
proactively and reactively, across an enterprise. ESRM continuously assesses the
full scope of any security-related risks to an organization and within the
enterprise’s complete portfolio of assets.
The management process quantifies threats, establishes mitigation plans, identifies
risk acceptance practices, manages incidents, and works with risk owners to
develop remediation efforts.”
5. Enterprise Security Risk Management
Desire, Mandates & Key Distinctions
• Is ESRM program development desired or mandated? By who?
(Regulators; Industry; Board of Directors; C-Suite; Others?)
•Mandated program framework(s)?
•Regulatory Compliance
•Industry-Specific
•Geography Specific
•Function or Risk-Specific
•Others?
•Industry-Specific Mandates, Best Practices, Benchmarking?
•Other considerations?
6.
7. Enterprise Security Risk Management
Critical Success Factors*
Senior Executive Support & Engagement
Key Stakeholder Buy-In
Sense of Urgency
Change Leadership
Company Culture
Organizational Structure / Model
Diversity of Competence
…among many other factors.
*Not intended to be a comprehensive list.
8.
9. Enterprise Security Risk Management
Program Development Road Map
•Establish Your Current State Baseline
•Determine Your Desired Future State / Program Model
•Conduct A Needs / Gap Assessment, ID Stakeholders
•Prioritize, Integrate, Align, Sequence, Execute & Assess
10. Enterprise Security Risk Management
Notable ERM Links
& Resources
• ASIS - CSO Roundtable: https://cso.asisonline.org/esrm/
• GARP: https://www.garp.org/
• RIMS: https://www.rims.org/Pages/Default.aspx
• COSO: https://www.coso.org/Pages/default.aspx
• ISACA ERM: http://www.isaca.org/chapters9/Accra/
Events/Documents/ERM%20ISACA.pdf
• ISO 31000: https://www.theirm.org/media/886062/
ISO3100_doc.pdf
“Good risk management
fosters vigilance in times
of calm and instils
discipline in
times of crisis.”
11. To get involved with ASIS ESRM initiatives…or for more information, contact us:
SRG General Inquiries:
inquiry@sentinel-rg.com