Chapter 12

Security Risk Reviews

Information in this Chapter

Assessing the State of Compliance

Implementing a Process

Process Optimization: A Review of Key Points

The NIST Approach

Introduction

Unfortunately, it isn’t enough for security teams to publish a volume of policies and standards and then expect compliance. With any policy or standard that is established, you should expect some level of noncompliance that needs to be evaluated and addressed. Different organizations may refer to the ongoing gap analysis process by different names, but a simple term is a Security Risk Review (SRR). You may hear this process referred to as a Compliance to Standards review, which although accurate sends the wrong message about its intent. The ...

Get Security Risk Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial