Pragmatic information risk management (part 3)

Additionally, management should ensure that everyone adequately secures information in practice, which involves:
  • Establishing clear policies and procedures for information security;
  • Allocating the associated resources and priorities to 'make it so'; 
  • Providing frequent security awareness updates for everyone, partly as a reminder of the obligations, partly to keep up with current threats, vulnerabilities and impacts;
  • Training specialists in particular areas ranging from basic hygiene to advanced security controls, incident management and forensics;

Finally, organizations should monitor the effectiveness of their information risk and security management practices and the security posture using assurance measures such as risk assessments, security control tests and audits to ensure that things are working as intended.

In conclusion, a pragmatic approach to information risk and security management is essential for organizations in today's complex and rapidly changing technological environment. By taking a realistic and practical perspective, organizations can effectively manage their information risks and ensure the security of their critical assets.