Risk & Policy

The respective authority of any control or guidance is strictly dependent on when and how it is referenced by an organization. Mature GRC programs will ensure that controls are appropriately selected based on the most relevant details.

Risk is the potential for loss or damage when a threat is actualized. It represents the crossroads between the impact of an event and the likelihood of it happening. It is often very high level, and requires a firm understanding of an organization’s landscape: everything from technical to geopolitical details. It is typically informed by a threat assessment, calculated as the situational likelihood of a negative outcome, then modified by the resulting impact. Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives.

Risk appetite should be clearly documented in a risk catalog, which is used to determine when and how rules are created for the organization. A Policy is a clearly-scoped set of rules based on an organization’s risk appetite. It provides governance rules that — while based on best practices and industry standards — are tailored to an organization. Because policies inevitably introduce some level of risk acceptance, they cannot be properly developed without consideration for organization-specific risk appetite.

Figure 5.2: A [Policy](02-definitions.html#policy) References Risks and Controls Figure 5.2: A [Policy](02-definitions.html#policy) References Risks and Controls
Figure 5.2: A [Policy](02-definitions.html#policy) References Risks and Controls

A complete policy document will be time-bound, contain references to threat-informed controls with assessment requirements, and include a clear plan for rolling out the policy to impacted parties.

Policy documents may be referenced by other policy documents, creating a functional inheritance model. These documents can be distributed to relevant parties as design requirements and used as a starting point for Layer 5 assessments. They are significantly more likely to succeed in practice when risks are included with the distribution of a policy, where they are mapped to specific threats and subsequent controls.

If created during planning, a policy document can serve as a functional design requirement to ensure that security is baked into the sensitive activity instead of becoming an obstacle later.

Continue Reading