Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
management function,
information security
organizations need
improved capabilities
and a change in mind-set.
Risk Reduction
Ensuring compliance
Creating information security policies
Evaluating controls based on risk and benefit
Security Operations
Patching
Protecting the network perimeter
New Capabilities
New Mind-set
Risk Management
Effectiveness
Risk
Understanding
Index
Ability to identify
risks, assess
vulnerabilities, and
make informed
investment
prioritization
decisions
Business Partner
Engagement
Index
Business partners
ability to understand
risk information,
independently
manage risks, and
incorporate risk
information into
business decisions
36 Activities
81 Attributes of Activities
Significant drivers
are organized into
three capabilities.
Regression
Testing
Against
Outcome
Indices
45 Significant Drivers
16 Activities
29 Attributes of Activities
1.1
1.2
1.2.1 Standardization of business workflow risk
assessments
1.2.2 Automation of business workflow risk
assessments
Each capability is
composed of activities.
Activities have
different attributes.
Outcomes
Risk Understanding Index
Sample Drivers1
Activities
Attributes
High
= 36%
Outcome Index
136
(Benefit)
100
Low
Low
High
Driver
Decision
Rights Not
Defined
Clear Decision
Rights and
Tracking
For full list of tested drivers, see the Appendix on pp. 108117.
Attributes
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
71%
70%
69%
61%
60%
56%
54%
44%
44%
36%
29%
26%
26%
24%
24%
22%
20%
I. Creating
a Holistic,
ForwardLooking
View of Risk
0.9
94%
90%
84%
78%
Drivers
77%
72%
70%
70%
59%
59%
58%
57%
52%
45%
43%
42%
41%
36%
35%
II. Dening,
Socializing, and
Supporting Decision
Rights
67%
48%
41%
34%
3.1.2 Risk Appetite Determination Through Formal Discussions with Business Partners
III. Understanding
and Aligning to
the Businesss Risk
Appetite
45%
41%
40%
35%
30%
4.3 Hire Analysts with an Information Security Certification (CISSP, CISM, etc.) 0%
*
4.4.4 Security Framework Usage: ISO 0%
*
4.4.5 Security Framework Usage: COBIT 0%
*
4.4.6 Security Framework Usage: ITIL 0%
*
4.4.7 Security Framework Usage: NIST 0%
*
4.4.8 Security Framework Usage: Other 0%
*
4.4.9 Security Framework Usage: None 0%
*
0%
50%
Benet
100%
n = 67.
1
The benet of each driver is measured against the most relevant of the two outcome indices, either Risk Understanding or Business Partner Engagement (see p. 7).
11