Ask yourself - how does your organization identify critical information assets and risks to those assets? What are the potential financial impacts of a successful attack against these assets? Do you have any insurance policies to mitigate and transfer potential losses for your information security risks? Risk management is about conducting an information security risk evaluation that identifies critical information assets (i.e. systems, networks or data), threats to critical assets, assets vulnerabilities and risks. You should identify the adverse impacts when risks to critical assets are realized, and quantity the financial impact to the greatest extent possible. Do have a risk mitigation plan resulting from the evaluation, and ensure there is a regular review and management of the risks to critical information assets.
Security Architecture & Design
You should know the primary components of your organization's security architecture. How does your security architecture help your business exactly? Know what assets to secure the most and know why.
This practice involves a few sub practices as well, such as Accountability and Training and Adequate Expertise. Regarding Accountability and Training, you should establish accountability for user actions, train for accountability and enforce it, as reflected in organizational policies and procedures. When I say users, I mean all the folks with active accounts, in example employees, partners, suppliers, and vendors. Regarding Adequate Expertise, you should ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies, including the secure operation of those technologies. You have to know whom to call if you have problems with your operating system, laptop, and access to new project data, passwords, security applications, or custom applications that have been developed internally? And that's not all; you should know whom to call when your corporate firewall blocks access to a service that you need, or something similar to that.
System & Network Management
This practice is built from few smaller practices, which are all very important. Those are: Access Control, Software Integrity, Secure Asset Configuration and Backups. We are going to cover them only generally here. Establish a range of security controls to protect assets residing on systems and networks. Consider use of access controls at your network, and use of data encryption technologies (VPN too) as required. Use removable storage media for critical data so that it can be physically secured. Do regular checks and verify the integrity of installed software. Do regular checks for viruses, worms, Trojans and other malicious software or unauthorized software. Also, regularly compare all file and directory cryptographic checksums with a securely stored, maintained, and trusted baseline.