Minimum Viable Risk Management Program

Discover a practical approach to implementing a risk management program for small or immature organizations in this BSidesLV conference talk. Learn about the fundamental components of risk management, including threat events, vulnerabilities, and secondary loss events. Explore the reasons for establishing a risk management program and examine current options available for smaller entities. Follow a step-by-step guide to creating a basic plan, starting with defining scope and inventorying assets. Gain insights into performing Binary Risk Assessments and understand their role within a comprehensive program. Delve into risk treatment strategies and decision-making processes, including determining appropriate sign-off levels for different risk categories. Address the weaknesses of Binary Risk Assessments by incorporating Factor Analysis of Information Risk. Acquire knowledge on essential documentation, including risk management policies and templates for risk treatment decisions. Enhance your organization's security posture with this minimum viable risk management framework.

Intro
Unsolved problem in information security
Threat event
Vulnerability
Secondary loss event
Why have a risk management program?
Current options for small/immature orgs
Basic plan
Decide on scope
Inventory assets & owners
Sort the inventory by granularity
Example granularities
Perform Binary Risk Assessment
Binary Risk Assessment as part of a program
What is the purpose of risk assessment?
Asset owners decide what to do about low & medium risks
How to treat risk
What's the right level to sign off on a risk?
Likelihood/frequency of loss questions
Magnitude of loss questions
Binary Risk Assessment weaknesses
Add Factor Analysis of Information Risk
External Documentation
Risk Management Policy
Templates
Risk treatment decision template
Questions?