Organizations are continuously exposed to a host of evolving threats, which create a multitude of security risks. Security risks to the enterprise have not consistently been viewed or managed through defined risk management principles and processes. A consistent and holistic approach will enable organizations to effectively manage security risks and the impacts on the business.  This document will frame the practice of Enterprise Security Risk Management (ESRM) and provide a high-level perspective of the concepts and management processes that should be used to manage security risks to and across an organization. 
A common understanding of ESRM will help practitioners and organizations to more effectively manage security risks.  ESRM needs to be fully integrated into corporate processes at every level of the business and by every security risk professional. Therefore, the audience is anyone involved with identifying, understanding, and/or managing security risks, including:
  • Business Leaders: Executives and managers throughout the organization will gain a better understanding of industry-accepted best practices related to the management of enterprise security risk.     
  • Security Practitioners: Security professionals at every level will find in these ESRM principles a common and repeatable set of practices, which will help identify, quantify, prioritize, and manage security risk in a consistent manner.     
  • Audit and Risk Professionals: This document will provide a common framework of generally accepted practices related to the management of security risks across an enterprise. 
Download Also:
Download Also:


ESRM is a management process used to effectively manage security risks, both proactively and reactively, across an enterprise. ESRM continuously assesses the full scope of security-related risks to an organization and within the enterprise’s complete portfolio of assets. The management process quantifies threats, establishes mitigation plans, identifies risk acceptance practices, manages incidents, and guides risk owners in developing remediation efforts.


ESRM uses risk-management principles to manage security-related risks across an enterprise. ESRM does not define an organizational structure. Enterprise risk management (ERM) uses risk-management principles to address enterprise risk issues and often defines an organizational structure. The security department may be represented within an ERM program if one exists, but ESRM is simply the processes under which the security department manages security-related risks.


The Vision of ESRM is to manage the protection of an organization’s enterprise-wide assets, enabling the business to advance its mission.  The Mission of ESRM is to provide consistent identification, evaluation, and treatment of security risks to mitigate potential impacts to the business and prioritize protective activities.  The Goals of ESRM are to establish organizational policies, procedures, best practices, and capabilities to identify and manage security risks to the enterprise in an effective, consistent, and efficient manner.


An enterprise security risk management program must be built upon a culture of managing security risks that follows a common approach to risk management practices, which includes the following key components (see Figure 1 below):  
1. Identification and Valuation of Assets
  1. Identification of assets and the proper stakeholder(s)/department(s) responsible for each asset. Valuating assets involves engaging stakeholder(s) in identifying the short- and long-term value, actual and perceived, of those assets, as well as their value in relationship to individual owners, departments, and/or relevance to the enterprise. 
  2. Identification of risks and vulnerabilities includes the assessment of the intentional or unintentional exploitation of each vulnerability, the effect on each asset, and the potentially disruptive effect on the business and its goals if a vulnerability were to be exploited. 
  3. An evaluation of security risks ensures that decisions can be made on which risk treatments can be implemented, and helps to prioritize the resources needed to address the identified security risks. 
  4. Mitigation: Mitigation processes, coordinated with the proper security risk stakeholder(s), serve to identify and develop available remediation plans. Proper assessment of these plans would measure the impact on the targeted risk. Mitigation plans could include:  
  1. Termination of the activity that causes the security risk.     
  2. Mitigation of the plans to limit the probability or impact of the security risk. Transferring the risk to another party, e.g., insurance.     
  3. Acceptance of the risk.  
  4. Remediation: Both security representatives and the risk stakeholder(s) have responsibility for implementing the mitigation and remediation plan. Simply because mitigation plans have been developed doesn’t mean that security’s role ends. Risk Governance: If the security risk is to be accepted, the role of security is to verify that the proper security risk stakeholder(s) has evaluated the risk and ensure that each security-risk stakeholder if necessary accepts at the appropriate levels (and the security risk). 
  5. Ensuring that security risks are accepted at the correct levels can be the most difficult part of the security role in ESRM. Escalation or broader conversations may be necessary to make sure that all of the security risk stakeholders are engaged in proportion to the risk and associated potential impact. Intelligence Gathering: Information can be gathered on evolving security threats through both reactive and proactive means. 
  6. An “incident” can be a security event, an investigation, and an article in the paper, a court decision, or other event. 
  7. Root Cause Analysis and Post Mortem: Throughout the incident response, security must examine and analyze the root causes of the incident to properly understand the nature of the threat as well as the potential controls that could help to avoid or mitigate similar events in the future. Issuing the post-mortem recommendations does not mean that these must be implemented, or that security should take on the role of implementing any recommendations; it is simply an acknowledgement of available remediation opportunities. 
  8. Security professionals should not be the only ones weighing in on the recommendations. The post mortem should be distributed to every security risk stakeholder, as well as any responsible party engaged in managing security risks (e.g., internal audit, the controller, compliance, etc.). 
  9. Reassess Security Risks: After any event, a reassessment of the asset and the related security risk is necessary to gauge whether the risk’s impact has changed and if prioritizing of the security risk should occur. Reassessing security risks should occur on a regular basis (not just in response to an event) due to the changing nature of security risks. This could include a new threat, a change in the regulatory environment, a recent lawsuit, and an unrelated security event that has gotten notoriety, or even a conversation with an executive. 
1. Identify Security Vulnerabilities and Risks to Each Asset  
2. Prioritize the Security Risk and the Security-Risk Relationship with Each Asset  
3. Develop Risk Treatment Plans  
4. Continuous Improvement 

ESRM Principles
  1. Identify and Quantify the Enterprise’s Assets. In this scenario, the assets are the safety of the employees, executives, and guests of the company during the special event. 
  2. Identify and Quantify Security Risks to Each Asset. The risk is the potential of protest activities spilling over into the ingress and egress of the events. Additionally, due to the volume of activity within the confined area, there is a concern for the potential increase of crimes against visitors to the event. 
  3. Prioritize the Security Risk and the Security Risk Relationship with Each Asset. Crimes against persons attending the event and disruption of the overall event are the prioritized risks of this event. 
  4. Develop Risk Treatment Plans. The security manager works with the asset owners to discuss the overall risk. The discussion surrounding the risk of the event should allow each party to weigh in and determine what steps should be taken or if the risks should be accepted. 
  1. Terminate the risk. Either cancel or postpone the event.     
  2. Mitigate the risk. Implement all or a portion of the controls/countermeasures highlighted in the proposal.     
  3. Transfer the risk. Add insurance.     
  4. Accept the risk. After the risk owners are consulted, there may be agreement to simply accept the existing level of risk. At this point, as long as the correct risk owners were consulted, the security practitioner’s involvement in this process complete and the risk acceptance is appropriate.  
  5. Continuous Improvement. The security group will always monitor events and the environment for risk-changing factors that may cause the risk and the prioritization to change. This could include an event in which criminal activity occurred, statistics indicating that crime in the area has increased, incidents where employees have complained for their safety, and so on. 

Field Access to Information

The CIO group is working with the leadership team to develop strategies, which will enhance customer relationships. Enhanced capability and productivity of the field-consulting workforce is targeted. The core of idea is to enable the workforce to achieve longer productive periods at client premises and enhance interactions with them.  One proposed strategy centers on the organization making its proprietary tools, data, and consulting processes available to its consultants in the field, instead of solely within the office. The security group is consulted because some of the processes and methods utilized are trade secrets, which differentiate the business and give it a competitive advantage. 
There are also concerns about the proprietary database of data becoming exposed or copied.  The consulting group has made a strong case for access to the tools and data, speculating about additional ROI to the business, and has also suggested utilization of Bring Your Own Device (BYOD). The security professional engages the business stakeholders in a consultative fashion using ESRM processes to evaluate the asset value, vulnerabilities, and risks to the business.   
  1. Identify and Quantify the Enterprise’s Assets. The assets are the trade secrets used by the knowledge workers. The security group works with several stakeholders in the business including consulting and legal to identify and value the assets, which consist of proprietary consulting methods and processes, and data in proprietary databases. The economic value of the information assets to the business is identified.     
  2. Identify and Quantify Security Risks to Each Asset. The risks to the trade secrets and data are confidentiality (risk of unauthorized exposure); integrity (risk of corrupting or destroying core data); and availability (continued access by practitioners to do their job). Fewer concerns exist around integrity or availability. An ALE (annualized loss expectancy) is already known for smartphone and laptop technology, which is an appliance containing or accessing the information.     
  3. Prioritize the Security Risk and the Security Risk Relationship with Each Asset. Unauthorized access to a complete trade-secret process has a direct relationship to the security of the information appliance, the workflow,, and structure of the software, the motivation of the individual to help protect the trade secret, and the effectiveness of security culture and controls.     
  4. Develop Risk Treatment Plans. After help from security to value the information assets, the business owner realizes that the financial impact of trade-secret exposure exceeds the designated financial authority of any single leader, and thus will require Board approval. A case is provided to the Board with the CSO supporting the business owner. The Board considers on a risk-reward basis and the proposal from the business and approves the plan for risk treatment. The risk treatment involves several steps.
The first step in the risk strategy is to significantly reduce the impact that exposure of the trade secret would have, by breaking the trade-secret process into several pieces, and implementing each piece in different parts of the enterprise software, so that the entire secret cannot be exposed at any given time.  
Further steps to decrease the likelihood of exposure of the trade secret include undertaking a secure-software design in partnership with IT. An information-security awareness culture is implemented which trains and provides incentives to field practitioners in line with company culture.  Technical controls at implementation time include encryption and strong-authentication technologies. Further mitigation is achieved by use of thin-client software, which limits access connectivity and access to core system resources.
  1. Continuous Improvement. Security and the business owner will monitor incidents according to the target metrics developed and agreed.
Related Topics:
Related Topics:
The Author: Ala'a Elbeheri
                                         Ala'a Elbeheri
A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT. 
• Program and portfolio management, complex project management, and service delivery, and client relationship management.      
• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.    
• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.      
• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  
• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  
• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.    
• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills  throughout an organization.

Post a Comment

Previous Post Next Post