Formalize how you identify, assess, and prioritize risks to your organization. The goal of risk management is to improve business decisions and outcomes. This engagement delivers a complete package of process, tools, and training to bring consistent assessments and decisions. Whether you’re developing your budget or assessing technical risks, your team will be empowered to drive proactive decisions with IT and business stakeholders.
The Prioritizing Risks engagement is typically delivered in two phases. Engagements vary from one to three weeks.
- Process Definition: Review or draft procedures and workflow to conduct assessments and risk decision roles, construct a process overview presentation, and train stakeholders.
- Pilot: Work through the assessment process by conducting a live assessment through risk identification to acceptance or remediation decisions.
- Review drivers, requirements, and stakeholders
- Document roles across IT, Risk, and Business Units (RACI table)
- Document process flow (swim lane diagram)
- Document procedures (Word Document)
- Produce Stakeholder presentation (Powerpoint)
- Implement and train key stakeholders on Third Defense Risk Communicator
Risk Assessment Pilot
- Scope assessment
- Identify & prioritize risks
- Identify potential remediation steps
- Prioritize and determine remediation steps
- Produce reports (document or presentation) using Third Defense Risk Communicator
Developing, communicating, and maintaining an information security strategy provides clear direction to your internal team, stakeholders, and audit organizations. A strategy is more than a presentation. It’s a process to solicit input, crystallize direction, and build support across the organization.
Whether you’re updating an existing strategy or starting from scratch, our consultants offer experience building the mission, vision, and strategy to get there. Depending on your needs, this engagement may also include a process maturity assessment to frame your message, set expectations, and identify improvement areas.
See our IT Security Strategy Template, previewed below, as a starting point.
Those familiar with ITIL may refer to this engagement as building a Service Catalog. The ability to define what you do, who does it, at what maturity, and where your time and money are spent enables teams to align their capacity to demand. A Service Catalog enables you to set expectations and communicate where you’re actually spending your time vs. where others think you are. If you feel like you have insufficient resources or if you’re reacting more than leading, start with a Service Catalog to set a baseline.
Creating a Service Catalog seems like a straight forward exercise. However many teams struggle to document their processes with consistent levels of detail across managers. Our consultants will interview your leaders and help standardize your services into concise descriptions. Results are entered and maintained in the Third Defense Service Manager application. This engagement has two additional options.
This first option is to determine where your team spends its time and money. Results are collected across high level time buckets of Business as Usual, Short Term, and Long Term Projects. The benefit is a visual representation to determine resource allocation and help communicate needed changes.
The second option also takes advantage of the service catalog to assess the maturity of each process across people, process, and maturity. We leverage a maturity model similar to the capability maturity model for consistency. The benefit is a visual representation to set expectations on process maturity and drive investment decisions.