Management choices when it comes to risk

When it comes to addressing risk, there is no simple answer. There are four ways that an organization can choose to respond to a newly discovered risk.

The organization can choose to do the following:

  • Mitigate risk: Mitigation involves fixing the issue that is causing a vulnerability or implementing a compensating security control if the specific issue cannot be resolved.

For example, good patching is a key component of any well-functioning IT organization. If a missing patch causes a vulnerability, then you would patch the system to mitigate the vulnerability. However, there are often IT devices that must be on the enterprise network and cannot be regularly patched due to vendor limitations or compliance requirements (for example, point of sale systems and healthcare devices). In environments where regular patching cannot be conducted, the devices in question must be tightly controlled through network segmentation and monitored by your organization's security operations center. These mitigating controls can allow these vulnerable devices to continue operating:

  • Transfer risk: Transferring risk involves purchasing insurance to reduce the financial burden of a vulnerability being exercised by a threat source.
While information security insurance is currently a booming industry, there are some important points to note.

In order to get insurance, you need to demonstrate you are exercising due diligence and care regarding your information security responsibilities. Many questions will be asked when you start working with an insurance company to develop a policy. In short, you cannot use insurance to implement foundational security controls.

Standard business information security policies are beginning to explicitly exclude information security incidents. If you think you are covered, you may not be. Check with your provider.

  • Accept risk: Accepting risk comes into play when a specific vulnerability you are trying to close costs more than the asset you are trying to fix. In this case, executive leadership may decide that the specific risk will be accepted and that the vulnerability in question will not be closed.
Accepting risk is where the concept of risk ownership needs to be highlighted again. Accepting risk is the responsibility of executive leadership, and not the IT team. The best, most cost-friendly plan that the IT organization can formulate should be developed and presented to management. If management chooses to not mitigate the risk that is their right. The IT team should not be making the decision to accept risk for management.
  • Avoiding risk: By avoiding risk, the organization is choosing to not engage in the behavior that is causing the risk. In this example, the organization may choose to remove a vulnerable server from the internet until it is patched.
While risk avoidance is certainly an option, it is not one that will be typically exercised. It is a difficult call for management to remove a required business system from the network. When avoidance is used it may be for less critical functions.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.159.150