Without clear responsibilities set out in a risk management plan, the right decision makers can be left out of the conversations that they are needed for. This phase will take you through the following activities:
- Determine the function of the risk executive.
- Determine the function of the board of directors and IT security group.
- Build a security risk responsibilities document.
- Define the organizational risk tolerance level.
Use this phase as part of the full blueprint, Combine Information Security Risk Management Components Into One Program.