Risk Management Framework Essay

896 Words4 Pages
Experience shows that people have little tolerance for extensive question sets for either in-person questioning or by way of survey. A more successful approach is to develop an interview process for an assessor (e.g., security professional) to discuss security issues with the appropriate person with knowledge of that particular area. The interview process discerns all the details of the question set without necessarily asking each and every question. In support of this interview process, consider the following interview guide to engage people in discussions about security in a conversational manner. This conversational manner obtains better cooperation than clinically going through each individual question. The interview guide aligns with the full discovery question set and permits the assessor to engage the interviewees in conversation. As key points are covered, the assessor may mark down cues to responses. The assessor may then complete the full question set on his or her own. This may seem somewhat labor intensive on the part of the assessor; however, this is a more certain way of obtaining complete and more accurate information. Feedback from assessors following this method in the process of recording detailed answers assists greatly with their confidence level in writing the gap analysis and remediation analysis reports and making recommendations for managing business risks. The discipline of a comprehensive question set forces the assessors (in a good and positive way) to complete the interview guide and the question set. If the assessor does not gather all the relevant answers during the initial interview, a follow-up phone conversation or e-mail to discern the missing data is far easier than handling the entire discovery process remotely. In planning for discovery and the interview process, the assessor should map personnel contacts with each SMF category
Open Document