Tminus20 Inc.

The implementation of an IT Risk Management program starts with the commitment of senior management. With their assistance and guidance, an IT Risk Management policy is created to suite the needs of the organization. Based on that policy, an IT Risk Management framework is developed. The framework describes the risk assessment process(es) to be used, the responsibilities for each role, the communications plan and the measures of success.

Once the framework has been approved, the operational procedures are developed and integrated into the ITSM processes (Changes Management, Incident Management, Configuration Management, etc.)as well as the management team's processes (weekly management meetings, monthly reporting, etc.).

Through these processes, as well as through security awareness, risks are detected and reported. Reported risks are tracked in a Risk Register, which maintains the list of current risks, their recommended treatment and an action plan to address each risk.

The compliance burden continues to increase and organizations need to take a new approach to managing internal compliance assessments and IT security assessments. Process automation can reduce the time required to complete assessments by up to 30%, based on previous customer implementations.

Tminus20 assists our clients in developing customized workflows and processes, and then work to integrate those new procedures into existing processes, where applicable.

IT Security policies form the foundation of IT security practices in an organization. They provide a common understanding of expectations with regard to maintaining the security of one of the most important assets an organization can have - information.

Security policies not only assist in improving day-to-day security, they also provide ready evidence that the organization can meet legal and/or contractual obligations.

Threat and Risk Analysis
The standard tool for assessing risk and determining appropriate risk treatments. Tminus20 has experience in delivering Threat and Risk Analysis using the Harmonized Threat And Risk Assessment methodology, developed by the Communications Security Establishment of Canada (CSEC) & the Royal Canadian Mounted Police (RCMP).

Vendor Risk Analysis
Increasing, attack vectors are using third-parties to access an organization systems. Successfully managing the risks of suppliers and partners will increase the security posture of an organization. Additionally, more and more organizations are being required to vet their supply chain in order to meet their customer's demands for security.

Cost/Benefit Risk Analysis
An incredibly useful decision-support tool, Cost/Benefit Risk Analysis can provide management with insight into the potential consequences of any important management decision. Cost/Benefit Risk Analysis, with consideration of the organization's risk appetite, enable management to determine the most appropriate path.

Organizational Risk Assessment
The first step in establishing a Risk Profile for an organization is an overall organizational risk assessment. This high-level assessment considers the organizational structure, the business objectives and strategic directions, and provides an analysis of any risks to obtaining those objectives or strategies. The results of an Organizational Risk Assessment are used to established the Risk Appetite and Risk Tolerance of an organization, which is the basis for IT Risk Management.