When it comes to addressing risk, there is no simple answer. There are four ways that an organization can choose to respond to a newly discovered risk.
The organization can choose to do the following:
- Mitigate risk: Mitigation involves fixing the issue that is causing a vulnerability or implementing a compensating security control if the specific issue cannot be resolved.
For example, good patching is a key component of any well-functioning IT organization. If a missing patch causes a vulnerability, then you would patch the system to mitigate the vulnerability. However, there are often IT devices that must be on the enterprise network and cannot be regularly patched due to vendor limitations or compliance requirements (for example, point of sale systems and healthcare devices). In environments where regular patching cannot be conducted, the devices in question must be tightly controlled through network segmentation and monitored by your organization's security operations center. These mitigating controls can allow these vulnerable devices to continue operating:
- Transfer risk: Transferring risk involves purchasing insurance to reduce the financial burden of a vulnerability being exercised by a threat source.
In order to get insurance, you need to demonstrate you are exercising due diligence and care regarding your information security responsibilities. Many questions will be asked when you start working with an insurance company to develop a policy. In short, you cannot use insurance to implement foundational security controls.
Standard business information security policies are beginning to explicitly exclude information security incidents. If you think you are covered, you may not be. Check with your provider.
- Accept risk: Accepting risk comes into play when a specific vulnerability you are trying to close costs more than the asset you are trying to fix. In this case, executive leadership may decide that the specific risk will be accepted and that the vulnerability in question will not be closed.
- Avoiding risk: By avoiding risk, the organization is choosing to not engage in the behavior that is causing the risk. In this example, the organization may choose to remove a vulnerable server from the internet until it is patched.