Security Risk Management

The security risk framework, explained in the Security Risk Management Standard for NTT DATA EMEAL, defines the roles and responsibilities of all actors involved in risk management, as well as describes the various risk approaches and risk governance instances.

The steps for systematic risk management such as establishing the context, identifying and evaluating risks, treating risks, communicating, and reviewing are outlined based on the ISO 27005 standard.

The approach to security risk management is oriented both to protect work tools and products as well as to ensure business objectives, thus, two security risk dimensions are highlighted: asset-based risk assessment, and operational risk assessment.

Risk governing bodies at strategic and operational levels, and the communication and escalation mechanisms for risk owners and committees are also defined.

Risk treatment measures are implemented to maintain the risk levels below the established risk appetite set by the Top Management and monitoring actions are carried out to ensure they are completed in due time. The periodicity of assessments is stablished to be, at least, yearly.