4-6 Risk-Based Information Security Framework

The risk-based information security framework [1] allows traceability from the highest-level strategic goals and objectives of the Postal Service, through specific mission/business protection needs, down to specific information security solutions and [2] incorporates information security requirements from legislation, directives, policies, regulations, standards, and guidance.

A risk-based strategy gives vice presidents of functional business areas, executive sponsors, and Business Relationship Management portfolio managers the opportunity to make informed risk-based decisions in dynamic operating environments—decisions based on trade-offs between fulfilling business functions and managing the many types and sources of risk that must be considered. Information security risks must be aligned with business risks to accurately gauge the effectiveness of information security controls.

The following key elements are required to effectively manage information security risks for the Postal Service: