Security & Risk Management Arrow to Content


The Security and Risk Management domain provides the core components of an organization's Information Security Program to safeguard assets and detect, assess, and monitor risks inherent in operating activities. Capabilities include Identity and Access Management, GRC (Governance, Risk Management, and Compliance), Policies and Standards, Threat and Vulnerability Management, and Infrastructure and Data Protection.

Relationship to Other Domains

SRM provides the security context for IT Operations and Support. There are security aspects to ITOS capabilities and functions that are critical to the delivery of IT services that support the business. SRM is a key component of Operational Risk Management under Business Operation Support Services in that Security Risks are crucial data points of the organization's business intelligence, which supply information necessary to make sound business decisions. Human Resources supports the SRM agenda through vigilant attention to the workforce. SRM provides Identity and Access Management services that are pre-requisite to the presentation of data to users. Protection of data in transit, at rest, and in use is a critical underpinning to the processing and manipulation of data by application services. SRM has a dependency on the core components and capabilities provided by Infrastructure Services including physical security of facilities and patch management.


An employee working from home must log into the corporate VPN using the one-time password token on his key fob. A new website being built is tested for compliance with corporate security policies. A thief cannot read data on a stolen laptop if its hard drive has been encrypted.

Security & Risk Management

Page Dividing Line