InfoSec Tip: Create A Risk Register

by Dan Strom on June 25, 2009

I don’t know if your memory is like mine, but sometimes I cannot remember what happened last week.

Do you remember each and every information security exposure that is found?

Several years ago I started keeping a Risk Register. This is very similar to the checkbook register that we all keep.

When I find a new exposure to our organization, I keep track of these things…

Date Risk Found
Description of Risk
Business Unit Impacted
Steps Taken for Remediation
Date of Each Step Taken

Now, I’ll be honest. Many times I keep much more information that what is listed above. But, the above is a good start.

What are the benefits of keeping a Risk Register?

Helps with remembering what has been done.
Helps with justifying InfoSec expenses.
Helps in explaining what has been done to Management.
Helps to identify the most vulnerable business unit.

So, remove some items from the list of things you need to remember. Keep a Risk Register.

- Dan

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Tagged as: Risk

{ 1 comment… read it below or add one }

Kent July 19, 2009 at 9:17 pm: That’s a great tip, thanks!

Leave a Comment

Previous post: From Sophos: Simple Facebook flaw put all members at risk of identity theft

Next post: No-effort Hacking

Categories
Information Security Links
- Data Security Podcast
- Internet Storm Center
Follow Dan Strom on Twitter
- @cunningpike Same thing happens when folks move to the country, then start complaining about the smell of animals
- This explains a lot! - http://t.co/30AOztlx #FB
- I've been wondering lately why folks in formal leadership positions are often reluctant to do the right things...
- RT @JohnCMaxwell: You cannot kindle a fire in any other heart until it is burning within your own. -Unknown
- I'm listening to some old 2nd Chapter of Acts music. Oh, the memories are flooding back #FB