After helping many clients roll out quantitative cyber risk management, RiskLens Risk Consultant Brad Agee created a policy document covering the guidelines and requirements that successful programs have instituted to smoothly operate a RiskLens/FAIR™ program.
With input from RiskLens Chief Risk Scientist and FAIR model creator Jack Jones, Brad is now sharing what he’s learned in two downloadable pdfs, one version an outline of the elements of the policy, the other the same outline fleshed out with suggested example content - download and customize for your organization.
Ideally, you would implement this policy and have the guidelines in place before you launch the RiskLens-FAIR Enterprise Enterprise Model (RF-EM), which includes configuring the RiskLens platform and receiving training and program set-up from RiskLens services experts.
The quantitative risk management policy document covers:
- Governance, including roles and responsibilities and developing risk appetite and KRIs
- Metrics, including requirements for asset management and threat landscape monitoring, as well as the necessary steps in conducting risk analysis
- Risk Management, including criteria for logging loss events and when and how root cause analysis must be applied.
Process questions the policy document can help you answer include:
- Cadence for risk reporting to various levels of the business
- How to develop a risk appetite statement
- Record keeping on crown jewel assets
- Periodic controls testing.
- Training levels for analysts
- When cost-benefit analyses are to be required
- Rules for data gathering on non-compliant controls
Risk Measurement and Reporting Policy Outline
Risk Measurement and Reporting Policy Example with Suggested Content
Again, the intention is to give you a document you can customize. Let us know how it goes - Contact us with your comments or questions on the policy document