**4. Using IA OM® as an enterprise risk management metric**

The process for using IA OM® as an enterprise risk management metric involves a number of steps. The overall steps in the process, as adapted from the OM® process, are:


These steps and activities are applied to organizational risk management using IA OM®, resulting in a metric that provides:


This process is shown in Figure 2 [24] using an activity from an organization's personnel security process as an example. The individual process steps are examined in more detail in Sections 4.1 – 4.7.


**Figure 2.** IA OM Process with Personnel Security Process Example

216 Risk Management – Current Issues and Challenges

Risk tolerance for individual systems

Risk tolerance within organizational elements

**4. Using IA OM® as an enterprise risk** 

Applied this way, IA OM® allows Senior Management to readily assess their current information security risk management posture and determine whether it fits within their risk tolerance. It also identifies those areas, programs, and systems of greatest risk to the organization – allowing Senior Management to quickly and easily prioritize their

The process for using IA OM® as an enterprise risk management metric involves a number

1. Decide what questions you need or want answers to regarding your organization's risk

2. Identify the organizational assets, processes, or operations that need to be measured to

3. Identify any characteristics and sub-activities of the organizational assets, processes, or

4. Define an activity value scale for each activity or sub-activity in terms that make sense

5. Determine the current value (or location along the value scale) for each activity or sub-

6. Calculate the value for each asset, process, or operation identified in Step 2 using the formulas provided in Section 4.4 and the activity (or sub-activity) values from step 5. Weighting factors are selected based on the organization's determination of the relative

7. Combine the values for each activity (asset, process, or operation) into an overall IA

These steps and activities are applied to organizational risk management using IA OM®,

The ability to evaluate the risk posture of a specific organizational asset, process, or

This process is shown in Figure 2 [24] using an activity from an organization's personnel security process as an example. The individual process steps are examined in more detail in

of steps. The overall steps in the process, as adapted from the OM® process, are:

Overall risk tolerance

remediation efforts.

**management metric** 

management program;

within the organization;

activity being measured;

importance of the activities;

resulting in a metric that provides:

A set of organizational assets;

operation;

Sections 4.1 – 4.7.

answer the questions from step 1;

operations to be measured from step 2;

OM® index value to be reported and analyzed.

 All activities within a risk management tier; or Risk management activities across tiers.

<sup>13</sup> Adapted from interview with Stanley G. Siegel on Jan. 7, 2004 [24].

<sup>14</sup> This equation and its components are described in Section 4.5.
