Information Risk Management follows information as it is created, distributed, stored, copied, transformed and interacted with…throughout its lifecycle.
Begin by understanding what information is critical to key business initiatives, such as growth through acquisitions or expanding partnerships. Then diligently ‘follow the data’ to gain a more holistic view of all the places where it exists across the organization, where the points of vulnerability are, and what events could put your business at risk.”
Security investments should be prioritized, based on the amount of risk a given activity entails relative to the potential business reward, and in keeping with the organization’s appetite for risk.
Once enterprise information has been located and a risk assessment performed, the next step is to implement controls — including policies, technologies, and tools — to mitigate that risk. Here, organizations often turn to frameworks like ISO 27002 and the PCI Data Security Standard.