An enterprise risk management framework should include both program risk and institutional risk.
- Define program risk.
Define institutional risk.
3. Decribe how your selected organization incorporates program risk and institutional risk in its security program. Offer examples of both types of risk
This is a scenario based discussion.
Assume you are a technical advisor for the Chief Information Officer (CIO) of your organization. The CIO sends you an email communicating that she wants to be briefed on “OMB M-11-11” because the administrator has just added it to the list of priorities for the organization. She has limited knowledge of the policy, and needs to know how it will effect the organization, and what we have already accomplished towards meeting the requirements within the policy.
You have been given 30 minutes with the CIO. What would you report? And why?