Managing information system-related security risks is a complex, multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the front lines developing, implementing, and operating the systems supporting the company's core missions and business processes. Risk management is viewed as a holistic activity that is fully integrated into every department of a company. Governance, Mission, and Business (information and information flows) and Environment of Operation overall structure should stem from the executive leadership to include: 

• Multitier Organization-Wide Risk Management

• Implementation by the Risk Executive (Function)

• Tightly coupled to Enterprise Architecture

    and Information Security Architecture

• System Development Life Cycle Focus

• Disciplined and Structured Process

• Flexible and Agile Implementation