A practical example of using an established framework which could be applied to your organisation:
[…] Intel used the framework to create a risk heat map that can be used to set risk tolerance baselines, identify areas that need more detailed or technical assessments, identify areas of underinvestment and overinvestment, and assist in risk prioritization.
Intel divided their computer infrastructure into five critical business functions and piloted the Framework to perform an initial high level risk assessment for one business function. They conducted the project in four phases:
- Set target scores: A core group of security SMEs set target scores, validated Categories, developed Subcategories, and performed an initial risk assessment and scoring. This phase helped the team validate that their approach could be a meaningful tool for prioritization and risk tolerance decisions.
- Assess current status: Separate from the core group, several individual security SMEs conducted an independent risk assessment based on the framework. They individually scored the Categories and noted specific Subcategories where opportunities to improve existed.
- Analyze results: They used the heat map format to examine areas of concern at the Subcategory level to further identify specific areas for improvement
- Communicate results. They reviewed their findings and recommendations with Intel’s CISO and staff. This process fostered a dialogue and helped the broader team agree on risk tolerance and prioritization.
This process brought the organization several benefits. One of the most valuable was the internal dialogues it helped foster — risk conversations became grounded in a shared understanding of the threats, vulnerabilities, and impacts the organization faces, and the organization gained improved visibility into their strengths and opportunities to improve. All of this helps the organization set better security priorities, and better deploy budgets and security solutions. And best of all, all of these results were achieved with a cost of under 175 FTE (full-time-employee) hours.