Jun
25

InfoSec Tip: Create A Risk Register

I don’t know if your memory is like mine, but sometimes I cannot remember what happened last week.

Do you remember each and every information security exposure that is found?

Several years ago I started keeping a Risk Register. This is very similar to the checkbook register that we all keep.

When I find a new exposure to our organization, I keep track of these things…

  1. Date Risk Found
  2. Description of Risk
  3. Business Unit Impacted
  4. Steps Taken for Remediation
  5. Date of Each Step Taken

Now, I’ll be honest. Many times I keep much more information that what is listed above. But, the above is a good start.

What are the benefits of keeping a Risk Register?

  • Helps with remembering what has been done.
  • Helps with justifying InfoSec expenses.
  • Helps in explaining what has been done to Management.
  • Helps to identify the most vulnerable business unit.

So, remove some items from the list of things you need to remember. Keep a Risk Register.

- Dan

Tags:

Posted by d.strom, cissp, gsec, gsna Planning Subscribe to RSS feed

One Comment to “InfoSec Tip: Create A Risk Register”

  1. Kent says:
    July 19, 2009 at 9:17 pm

    That’s a great tip, thanks!

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>