Phase IV: Implement Monitoring

When all is said and done, you're going to need to develop a system to measure the quality of your efforts on an ongoing and regular basis. This is done through security metrics and improves with maturity of the security process within an organization. There are five levels of maturity of a risk management program:

1. Having well-defined security policies

2. Having well-defined procedures

3. Implementing those procedures

4. Testing compliance with and effectiveness of those procedures

5. Fully integrating those policies and procedures into the ongoing regular operations of the organization

Don't feel like you have to bite off the entire risk management approach in one step. It takes time, research, tact, patience, and persistence to collect all the data, to create coherent and balanced policies and procedures, and to get them integrated into an organization. It might take years for a large government agency or company to fully embrace these changes, and sadly it usually takes a major disaster for the process to really gain momentum. If you want to see fundamental changes in your organization's risk management process occur, it's going to take hard work. All the firewalls in the world can't replace the effect of having a Level 5 risk management program in place. It is well worth the effort.