Escolar Documentos
Profissional Documentos
Cultura Documentos
OVERVIEW
Make
Recommendations
Reach Agreement
Key Takeaways
When conducting control selection, consider the following:
1. Identify and involve the relevant stakeholders during control selection. While the project owner is the key
business representative during control selection, other key stakeholders often need to be involved in the decision
process.
2. Cater communications to each stakeholder to drive better risk management outcomes. Security should
account for each stakeholder's bias during the control selection process.
3. Understand how security considerations can affect business goals. Business partners view controls in terms
of both risk management and business outcomes, so Security needs to account for the impact control
recommendations can make on the business.
4. Select controls that weigh benefits versus risks. Identify controls that balance Securitys risk management
standards, the business risk tolerance, the projects unique goals, and the project owners willingness to accept
risk.
5. Limit the need to escalate by creating options to support business partner decisions. Present controls in
terms of risk/reward trade-offs to negotiate an optimal decision with risk owners.
6. Balance information accessibility needs with potential risk of information loss. Security can support
employee productivity goals by balancing controls that manage risk with efforts to make information more
accessible.
The project owner is the key individual that Security serves during the risk assessment process.
However, when consulting on control selection, Information Security staff often need to engage with endusers, IT stakeholders, other risk management functions, and even external partners. Therefore, it is
critical that Security formally identifies and appropriately involves the right stakeholders in each control
selection conversation and decision.
Illustrative Depiction of Potential Stakeholders Involved in Control Selection
Project
Owner
IT
Stakeholders
Business
Partners
General Manager
Director of Finance
Operations Manager
Potential
Stakeholders in
Control Selection
Service Manager
Solution Architect
Tower Lead
Risk
Management
Functions
End-Users
Power Users
Communities of Practice
Remote Workers
External
Partners
Suppliers
Contractors
General Counsel
Audit
Compliance
Project Owner
Key Characteristics
Making more
decisions about
technology
Growing
understanding of
impact of
information use
View of Information
Security
Challenge
Stakeholders often
perceive Information
Security assessments
and controls as limiting,
making them less willing
to engage with security.
Line-Level Employees
Key Characteristics
Increasingly able to
find ways to use
cool noncorporate tools and
technologies from the
consumer world
Higher
expectations for ease
of use
View of Information
Security
Finding more
secure alternatives
requires more
effort and wastes
time
Corporate IT
Key Characteristics
Share technical
expertise and
knowledge
Able to
incorporate risk
assessments into IT
processes
View of Information
Security
Security process
can delay critical
projects
Business Partner
Information Security
Business Benefits
Business
Leader
Security
Professional
Unsecured
Employee
Behavior
Control
Selection
Costs
Vulnerabilities
Risks
Project
Considerations
Stakeholder
Considerations
Is this an immediate or
future priority?
Business partner
resistance is
automatically met
with escalation to
CISO.
Security
concedes to
suboptimal risk
decisions.
Present Trade-Offs
Focus on Information
Protection
Targeted Approach to
Information Protection
Focus on Information
Accessibility
Low
Low
High
Additional Research on Reducing the Burden Controls can Place on the Business