Building an Information Risk Management Framework

While pursuing a career in information security, we may be required to build something known as an information risk management framework (IRMF) somewhere down the line. It is a document that helps record and manage risks faced by an organization, thereby helping them get a better understanding of measures to be taken to minimize risk while working towards their business goals.

During the second semester of my Master of Cybersecurity degree at The University of Adelaide, I enrolled in a course called Information Risks, Threats and Controls, where we were split into groups of seven to build an IRMF for real clients in Adelaide. It was a challenging yet wonderful experience, where I learned a lot about how organizations can manage and minimize the risks they face.

We followed a nine-step risk assessment management (RAM) process to build the IRMF, which included the following steps:

RAM 1 — Establish context: Perhaps the most important step to take while building an IRMF is to establish context, as all other steps are influenced by the organizational context. We needed to gather as much information as possible about our client from the internet, people working in the organization, and interviews conducted with the director of the organization. Using this information, we prioritized our organization’s business goals and worked on building the IRMF accordingly.

RAM 2 — Identify risks: The next step was to identify the organization’s risks, which started with listing down its information assets. Then, potential threats to these assets and vulnerabilities present in the organization were identified, and risks were determined from this information.

RAM 3 — Map risks: We collected templates and tools commonly used in risk analysis, such as a risk matrix, to help analyse and communicate risks better. The information we gathered was mapped onto these templates.

RAM 4 — Analyse risks: Once we had the risks mapped out, we started the process of analysing the risks. We tried to find out how they could be related to each other so that reducing some risks could reduce others too.

If you don’t invest in risk management, it doesn’t matter what business you’re in, it’s a risky business.

– Gary Cohn

RAM 5 — Evaluate risks: The identified risks were evaluated to differentiate the extremely severe ones with a high impact on the organization from the low severity ones.

RAM 6 — Treat & Control risks: Procedures that could be taken to treat the risks, and prevent further risks in the organization were considered and documented, along with our recommendations to the organization based on their context.

RAM 7 — Communicate & Consult about risks: All the identified risks and measures to treat and control them were documented in a draft IRMF and sent to the organization for review so that the necessary changes could be made according to their take on our work.

RAM 8 — Monitor & Review risks: The risks and mitigation techniques detailed in the draft were reviewed based on the organization’s suggestions. No matter how hard we tried to reflect the real scenario of the organization in our work, there were bound to be minor differences between what we stated and what they experienced, which were rectified during this review so that everyone was on the same page.

RAM 9 — Document risks & Risk management strategies: All suggested changes were made and the final version of the IRMF was delivered to the organization, along with a brief report that stated how the IRMF was to be used and updated in the future.

As evident, it was quite an elaborate process, which we worked on for 12 weeks. In the end, both our client and our lecturer were happy with our work, and hopefully, the organization could use it to improve their risk posture and manage their risks better.

---

I wrote this blog so that anyone who wanted to build an IRMF could refer to these steps and it would hopefully act as a solid base to build upon. Our final IRMF is linked here if anyone wants to check it out. The name of the organization and all sensitive details have been redacted.