Until a little over two years ago, the government’s Security Policy Framework mandated the risk management process that HMG departments and agencies had to follow. Impact assessments had to be conducted this way – threat assessments had to be conducted that way. Unfortunately, this created a culture where compliance with mandatory risk management process became more important than really understanding (and thus effectively managing) risk. To make matters worse, security practitioners, now steeped in this process, had become adept in the application of the framework, rather than the true elicitation of risk.
https://www.cesg.gov.uk/articles/outcomes-over-process-how-risk-management-changing-government
L' INTELLIGENCE CYBER par Jean-Paul Pinte 
Laisser un commentaire