Enterprise Security Risk Management
Enterprise Security Risk Management (ESRM)
Our Enterprise Security Risk Management (ESRM) methodology is the cornerstone of our converged security offering. ESRM is the framework that describes what we do and how we do it. It is focused on ensuring the correct controls are correctly deployed and monitored to deliver the appropriate level of security for an organisation. It is consistent with Enterprise Risk Management (ERM) concepts and aligned to the ISO 31000 Risk Management Standard.
ESRM is the management of any security risk using established risk principles, and includes the following five steps. These steps form a continuous loop for improved risk management:
1. Identify and prioritise assets
Includes the process of identifying and prioritising the enterprise’s assets (people, customers, processes, information, facilities, reputation, regulatory obligations, etc.). Involves engagement and collaboration within the Security Partnership to understand their value and importance to enterprise mission and goals.
2. Identify and prioritise risks
Involves understanding the relationship of risks to the value of assets. Identifies probability and potential impact of risk on an asset, and the vulnerability of assets to security threats, including an assessment of existing security controls. Informs the development of the security solution.
3. Mitigate the risks
Encompasses the identification and deployment of the security (including protective security, electronic security, personnel security and information security) solution.
4. Incident response
Includes incident response, crisis management and fraud/forensic/insider threat investigations relating to a risk that has been realised and has resulted in a breach of existing security controls.
5. Ongoing risk assessment
Continuous/periodic monitoring of the changing risk landscape, including the identification and assessment of new enterprise objectives, risks, assets and vulnerabilities, and the reassessment of existing objectives, risks, assets and vulnerabilities, the external and internal risk context, and the condition, efficacy and performance of security controls.
Ultimately, ERSM can help provide the complete picture of threats facing an organisation and then address these risks by implementing the appropriate controls and maintaining compliance with relevant external standards and guidelines (ISO27000, PSR, NIST, ASD-E8, etc).
Mapping our solutions to ESRM
The ESRM framework enables us to present our customers with an overview which puts them at the core of a holistic view of the risks they face, and the strategies and controls that can be recommended and deployed by Optic to mitigate these and protect their customers, information and people.
Optic structures its operations and security risk solutions according to the above five-step framework. The following table illustrates this with a small selection of our services:
Structuring our solutions on the ESRM framework assures our customers that the security solutions we recommend and install are commensurate to the risks they are designed to mitigate, fit-for-purpose, responsive to change, regularly serviced and future-proof.
GET IN TOUCH TODAY TO FIND OUT MORE
For a no obligation discussion about how our Enterprise Security Risk Management approach can make your organisation more resilient to security risk, contact us today.