The following security risk management principles are applicable to how people and organisations use and make security decisions about technology.
The amount of rigour you apply, and approach you take to the application of these principles is of course dependent on what you are doing, how you are doing it and what you care about. There is no 'one size fits all' and you will need to make sensible decisions about how you apply them in the context of what you are doing.
- Accept that there will always be uncertainty - Risks are not always predictable and cannot be eradicated. Accepting this will help people to know that they can ask for help, admit mistakes, and seek advice from trusted sources.
- Make security risk management 'business as usual' - Managing risk is not a one-off activity. In order to make sensible decisions about what you are doing to protect the things that you care about, risk needs to be managed all the time, and must be integral to what you do.
- Know what you care about and why - Understand what needs to be protected and why. This understanding can then be reflected in the approach you take to managing risks.
- Understand what risks you are taking - It is important that you identify and understand any risks you are taking. This includes achieving a clear view of:
- how the things you care about could be compromised
- what impact a compromise would have on you
- how likely it is to happen.
This will help you to prioritise the things you need to do in response.
- Appreciate fully how risks are being managed - Once you have a clear view of the risks you face, you need to decide how they are going to be dealt with. It is important that you understand what you are doing (and what you are not doing) in response to risks that you have identified.
- Recognise the limitations of your risk management approach - All approaches to analysing and managing risk have limitations. You should understand any limitations that exist in the way you are identifying, analysing, assessing and managing risks.
- Control and direct the things you do to manage risk - The actions you take (and the decisions you make) in response to identified risks need to be governed to ensure they are consistent with the things you care about, your objectives and your priorities.
- Ensure systems are secure and usable - Unusable systems encourage users to find workarounds, resulting in systems that are unproductive and insecure. Your approach to risk management should recognise that technology systems and solutions need to be both usable and secure by design.
- Make sensible and timely risk management decisions - You need to make risk management decisions all the time. It is important that the people making decisions are accountable for them, and that you help them to make good decisions by ensuring that they have the right security and business skills, knowledge, information and tools.
- Get assurance that security is working as you expect it to - You need to have confidence (or assurance) that the things you are doing to manage risks are working as you expect them to. You should seek assurance from:
- the people that work for you
- the people you work with
- the technology you use
- the processes you rely upon to do something