Explain how each community of interest must manage the risks the organization encounters.
Explain how information security understands the threats and attacks that introduce risk into the organization, so they often take a leadership role.
Explain how management and users play a part in the early detection and response process and ensure that sufficient resources are allocated
Explain how the information technology community assists in building secure systems and operating them safely.
Emphasize how general management, IT management, and information security management are collectively accountable for identifying and classifying all levels of risk.
Explain that the three communities of interest that are also responsible for the following:
a. Evaluating current and proposed risk controls
b. Determining which control options are cost effective for the organization
c. Acquiring or installing the needed controls
d. Ensuring that the controls remain effective