Risk IT Framework - ISACA The Risk IT framework and best practice guidance was released earlier this week. It is well written and worth reviewing. Here is a listing of Risk IT Principles from the brochure: The Risk IT framework is about IT risk—business risk related to the use of IT. The connection to business is founded in the principles on which the framework is built. Effective enterprise governance and management of IT risk: • Always connects to business objectives • Aligns the management of IT-related business risk with overall ERM - if applicable, i.e., if ERM is implemented in the enterprise • Balances the costs and benefits of managing IT risk • Promotes fair and open communication of IT risk • Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels • Is a continuous process and part of daily activities The Practitioner Guide has material that can be leveraged. For example: • Risk Map With Risk Appetite • Risk Communication Flows • Key Risk Indicators and Risk Reporting • Risk Profile • Risk Aggregation • Aggregation of Risk Maps • Risk Culture • etc. The Risk IT documents can be accessed from http://www.isaca.org/riskit. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, CIPP Charlotte, NC http://www.virtualcso.com http://www.securityisgolden.com http://www.infosecresources.com http://groups.yahoo.com/group/gideons-infosec-list Posted: Thu Dec 10, 2009 8:51 pm INFOSEC List: