Information Risk Management

Risk Management using Failure Mode Effects Analysis - FMEA

Risk Management using Failure Mode Effects Analysis - FMEA
The FMEA (Failure Mode and Effects Analysis) has been generally used in Manufacturing Industries to determine the process failures, identify the causes of the failures, the impact of the failures and define mitigation strategies to reduce the failures and improve the overall end to the process. The concept of FMEA has been used for existing processes, for new processes. This article describes the application of FMEA for existing operational risk processes.

How does Risk Management process are different from FMEA?

In general, the risk management process involves following high-level steps
  • Define the business context and scope of the risk assessment domains
  • Risk identification
  • Risk Assessment / Analysis 

Third Party Tiering Since One Size Does Not Fit All

Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.

Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.

What is third party tiering?

Is IRM (Information Risk Management) an overhead? Reduce the Effort- Merge it with CRM (Corporate Risk Management)

Any project has a mandate to do program level risk management, which handles risks like delays, efforts, coding, dependencies, client enviornement and so on. Project appoints security manager becuase ISO 27001 certification is required and he comes up immediately with an additional task- Please perform security risk management and here is the IRM methodology you need to understand and then assess informtion security risks based on same.

Response from project management....Am too tied up with project delierables...don't have time to understand one more methodology...Already doing CRM...Why don't you do it for our project...Take a trainee if required...

Security Manager: Hey...IRM is not an trainees job..we require someone who understand the project...

and the argument goes on....or Security Manager bows down. IRM remains more of a compliance issue rather than a tool to manage real security risks.

Subscribe to RSS - Information Risk Management