Security and Risk Management

All organizations possess numerous assets, including facilities, hardware, software, and information. It is critical, therefore, that these organizations define and implement appropriate policies and procedures to protect assets as part of a security management approach. And once all assets are identified, organizations must ensure to the greatest degree possible that the vulnerabilities of each asset have been identified in order to define a risk management strategy to protect their confidentiality, integrity, and availability. Confidentiality ensures information is only accessible by those who require the access to that information. Integrity ensures the accuracy of information. Availability ensures the information is accessible when needed.

Organizations use various tools to manage their security and risk profiles. These tools include data classification (e.g., confidential, proprietary, private), risk assessment approaches, and risk analysis, enabling organizations to both categorize their assets and identify threats and vulnerabilities. Once identified, the organizations can then select appropriate security measures and controls to protect their assets and mitigate risks. Security controls take many forms and include management controls (e.g., policies, guidelines, procedures), operational and physical controls (e.g., policy execution, education and training, facility protection), and technical controls (e.g., access control, identification, authorization).

As organizations establish their security management strategies, in addition to the focus areas, they must also consider their information security governance approach, how they will either acquire or develop systems and/or services, their approach to addressing cybersecurity threats through risk management, the certification and accreditation of their systems, and their security assessment strategies. In doing so, they will develop documentation including new standards, policies and procedures, and documents such as system security plans (SSPs), risk mitigation plans, and system security authorization agreements (SSAAs).

How does cyber risk management and compliance work? A risk is a threat that has some likelihood of occurring, exploiting a vulnerability and resulting in some negative impact or loss to the organization. If an organization can proactively identify a potential threat or cybersecurity vulnerability it can put countermeasures, or safeguards, in place to mitigate against that risk. Effective risk management implementation includes a risk assessment to identify, analyze, and prioritize the risks and risk control, including risk management planning, risk monitoring, and risk resolution. Risks can be associated with a variety of organizational assets including, but not limited, to hardware, software, data/information, people, and facilities. A thorough risk assessment must consider organizational assets and their vulnerabilities, determine the likelihood of the risk occurrence, and quantify the potential impact in order to establish an effective risk management plan. This process must be revisited regularly to ensure the organization's security posture remains as effective as possible.

Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.


Ouyang, A. (n.d.). Information security governance & risk management domain. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from