The management structure refers to how responsibilities are assigned. When the scope of the risk assessment is defined, keeping the scope within the ownership of a single entity is helpful. Working with one entity allows for easier implementation of recommendations.
A small organization may have a single information technology (IT) division that is responsible for all IT systems and processes. Because its staff members control all IT systems, they can implement recommendations for any of the systems.
However, a larger organization may have several IT divisions. In this case, various managers or management teams oversee different IT systems, and each manager has different responsibilities. For example, an organization may have the following divisions for IT management:
Group Policy is an automated management tool. A policy can be set once and apply to all users and computers in the domain. For example, a password policy can be set that applies to all users, which can ensure that users use strong passwords and regularly change them.
A small organization may perform a risk assessment for many systems at the same time. However, a larger organization will likely separate the risk assessments. For example, a large organization hosts e-commerce websites. Elements of the websites include web servers, database servers, and firewalls. However, various divisions within the organization manage these different elements. One division manages the web servers; another division manages the database servers; and a third division manages network security, including the firewalls. Performing a single risk assessment on all three elements can be challenging, and this is especially true when implementing recommendations. Managers in the different divisions might have competing goals, schedules, and priorities.
However, if the organization assesses a single division at a time, the results are easier to implement. For example, three separate risk assessments could be performed, one each for the web servers, database servers, and firewalls. Each assessment would have specific recommendations targeted for the owners of the system.