@ISACA Volume 14  10 July 2019

Five Key Considerations When Developing Information Security Risk Treatment Plans


Risk treatment plans are an essential component of an organization’s information risk management and security strategy program. It is unrealistic to expect organizations to immediately mitigate or resolve all material information security risk as soon as it is identified. At the same time, once risk has been identified, organizations can be held accountable for it. As a result, they must be able to demonstrate that they are addressing risk appropriately within reasonable time frames and with sufficient effort. If developed and executed effectively, risk treatment plans can provide a documented and measurable approach to demonstrate to an organization’s key stakeholders, business leaders, constituents and interested parties that they are managing and/or mitigating their identified information-security-related risk with reasonable and defensible approaches and time lines. The following are 5 key considerations for organizations when developing information security risk treatment plans:

  • Ensure risk is properly and comprehensively identified within a risk treatment plan—It is important to identify the full scope of the identified risk and not just its symptoms or indicators. This will ensure that the plan will effectively address the entirety of the risk and not just components of it.
    The narrative that describes the identified risk in the plan should include negative or concerning material business impacts that would impact the organization if the risk were realized and describe the probability of occurrence. These outcomes should be aligned with business expectations, goals and requirements to establish risk ratings associated with them. They should also be described in a way that makes them easily understood by the intended audiences who are expected to participate in the risk treatments prescribed in the plans.
    It is also important that the method by which the information security risk is identified and assessed is documented in the risk treatment plan. The rationale for the risk treatment approach should also be documented. One way to comprehensively qualify and quantify the identified risk in the plan is to perform a threat and vulnerability analysis of the identified risk.
    By using data-driven and evidence-based threat and vulnerability analysis, the credibility and defensibility of the organization’s information risk identification process will significantly increase. Even if there is disagreement on the results of the analysis, an organization can demonstrate that it developed its risk treatment plan based on a reasonable and comprehensive analysis.
  • Identify the measurements for success—One common challenge in the development or evaluation of risk treatment plans is to measure their success in achieving their intended outcomes or goals. It is important to include key performance indicators (KPIs) and other objective measures that can be easily identified and understood by interested parties to allow them to track the progress of the implementation of the risk treatments prescribed in the plans. It can be useful to identify multiple levels of risk mitigation that will occur at different points during the implementation of the risk treatment plan. For instance, if the risk treatment plan calls for the patching of systems or applications, a tiered method that shows the reduction of risk after specific key or high-risk systems have been addressed may be useful in demonstrating progress.
    Another key measurement for success for risk treatment plans is the use of assurance methods and practices to support the concept of “trust, but verify” to validate the success of the plan’s implementation and the achievement of the intended reduction or mitigation of risk. Risk treatment plans should include assurance methods and practices such as the use of vulnerability scanning in the patching example. These types of tests will independently verify the successful implementation of the plan and provide an objective artifact to support this assertion.
  • Identify compensating controls—It is often the case that risk treatment plans require time and effort to comprehensively implement while the risk they will mitigate or manage still exists. A core component of any risk treatment plan should be to identify, document and implement compensating controls whenever possible as a temporary risk mitigation until the preferred measures can be put in place. In some cases, the compensating controls can be used as the permanent risk treatment as long as they are able to effectively meet an organization’s identified risk mitigation and management goals.
    Compensating controls should be able to mitigate or manage risk with the same or reasonably close to the same impact as the intended permanent risk treatment measure to be considered effective. When considering compensating controls in a risk treatment plan, it is important to evaluate their effectiveness compared to resolving the issue that created the security risk directly. The plans should include reasoning for the use of the compensating controls, why the organization believes the compensating controls are appropriate and how they can be evaluated for their effectiveness.
  • Identify requirements to successfully execute the risk treatment plan—Risk treatment plans will be effective only at mitigating, managing or removing risk if the organizations for which they are developed are committed to their execution. While many organizations may be committed to successful and comprehensive implementation of these plans in theory, they may not understand the full scope of the required effort until after they begin to be executed. In some cases, audit, risk and security professionals develop risk treatment plans with the inaccurate expectation that they have the support of the organization without first comprehensively or accurately identifying the time, money and/or people that will be required for their successful execution. Unfortunately, in these cases, these professionals often discover that the organization may not have the capacity or appetite to support the execution of the developed risk treatment plan. This requires security professionals to redevelop the risk treatment plan to align with available appetites and capacities.
    To mitigate this risk, practitioners should identify these requirements to affected stakeholders prior to documenting them in the risk treatment plans. These data points can then be socialized to the affected stakeholders, business process owners and business leadership within the organization to identify their ability and interest in executing them, and give them the opportunity to appropriately prioritize their resources and activities to accommodate their execution. Once a level of commitment has been agreed upon, these data points can be added to the risk treatment plan.
  • Determine the defensibility of the risk treatment plan—A risk treatment plan will only be useful if the audiences for which it is developed believes the plan is reasonable, appropriate and will be effective. This can be considered the “defensibility” of the plan. When developing risk treatment plans for critical and high-risk mitigation activities, organizations should have the plans evaluated and scrutinized with knowledgeable and competent stakeholders and/or constituents prior to their approval or execution by an organization.
    These individuals should not be part of the risk treatment plan development, but should have knowledge and understanding of the identified risk. They should be encouraged to ask challenging and comprehensive questions about the plans to ensure their efficacy, viability and comprehensiveness. This type of review will help to ensure that the risk treatment plans have accounted for all their requirements and key concerns and can stand up to adversarial concerns and criticisms. It also helps to endear these stakeholders to the plans, which often will result in their support of execution.

Risk treatment plans can be used to establish expectations and requirements for projects, activities and actions to manage, mitigate and/or remediate an organization’s material information security risk. Once an organization becomes aware of a risk, it becomes accountable for addressing it. Risk treatment plans provide evidence to support an organization’s commitment to appropriately mitigate and manage material information security risk and ensure that risk scenarios are not ignored.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Aligning Governance and Risk Management to Maximize Impact


Governance, risk management, control and business professionals from around the world can meet at the IIA and ISACA-hosted Governance, Risk and Control (GRC) Conference. This year’s conference, which takes place 12-14 August 2019 in Fort Lauderdale, Florida, USA, will allow professionals to create their own customized learning experience from multiple session options and interact face-to-face with their GRC peers. Attending both the preconference workshops and the GRC Conference allows ISACA members to earn up to 25.5 continuing professional education (CPE) credits. Participants will also have opportunities to meet industry experts and discover new, tested solutions to share with their organizations to foster GRC success.

Session highlights and topic areas include:

  • Opening keynote presented by Simon T. Bailey, breakthrough strategist, who helps professionals reach both business and personal goals through practical advice and specific tactics
  • Closing keynote presented by Patrick Schwerdtfeger, business futurist, who shares his insights on tech trends including artificial intelligence (AI), financial technology and blockchain
  • Cyber and digital disruption education track sessions
  • Technology and AI education track sessions
  • GRC and compliance education track sessions
  • Leadership, career, communication, culture and ethics communication track sessions

For more information, visit the Governance, Risk and Control Conference page of the ISACA web site.


Recap: 2019 North America CACS IT Audit and Security Leaders Summits


ISACA held 2 invitation-only IT leaders summits at the 2019 North America CACS Conference. The IT Audit Leaders Summit and the IT Security Leaders Summit brought together leaders from a variety of enterprises and industries. They discussed real-world examples and practical solutions to help improve their work in the industry every day, and each event allowed attendees to share their insights with a broader community of professionals.

The 2019 North America CACS IT Audit Leaders Summit Recap white paper summarizes the audit leader summit’s discussions about emerging technology, innovation of audit departments, cybersecurity and the summit’s theme, “leading in a world of change.” The 2019 North America CACS IT Security Leaders Summit white paper recaps discussions of business and technology issues, including data governance and privacy, emerging technology and cyberthreats, and cybercrime and law enforcement. It also highlights the participants’ reflections about leadership cultures and their defining characteristics.

The goal of publishing these recaps is to assist the auditing and security professions at large and keep the conversations going around these important topics. You can access the complimentary ISACA white papers on the 2019 North America CACS IT Audit Leaders Summit Recap and the 2019 North America CACS IT Security Leaders Summit pages of the ISACA website.


Celebrating the 2019 ISACA Award Recipients and Nominating for the 2020 Awards


The 2019 ISACA Global Achievement Awards were presented at North America CACS in May 2019. Recipients from around the world gathered to accept their honors after being nominated by their peers in 2018. Former ISACA Board Chair and current ISACA Board member Rob Clyde emceed the presentation and commended each recipient on his or her individual accomplishments and contributions to ISACA and the industry at large. Five ISACA Certification Exam Top Score recipients from the 2018 exam period also received their awards. Visit the 2019 ISACA Award Recipients page of the ISACA Awards website to learn more about the award recipients honored at North America CACS.

It is only through peer nominations that ISACA can recognize these incredible achievements. Who inspires you? Who has taught you something new in an ISACA publication or at a conference session? Whose professional contributions have advanced the industry at large? What chapter programs and which volunteer leaders have been instrumental in your ISACA member experience?

ISACA members are invited to nominate outstanding individuals and chapters online until 15 August 2019. This peer-recognition program relies upon ISACA members to nominate and select the recipients to receive awards at ISACA events the following year. ISACA is proud to recognize the outstanding achievements of individuals and chapters within the professional community that exemplify ISACA’s values, purpose and leadership.

Visit the About ISACA Awards page of the ISACA Awards website to learn more about the ISACA Awards program, view past recipients and submit a nomination.