Monday, April 22, 2013

Three simple steps to determine risk tolerance (CSOONLINE)

Modern security frameworks base themselves on a determination of the risks an entity's assets are facing, and how the entity addresses these by suppressing it (the vulnerability, the probability of occurrence or the threat is suppressed), mitigating it (something is put in place that will lower the risk below a certain threshold or transform it into an acceptable risk) or transferring/delegating it (for example: cover it with an insurance policy).

CSOONLINE has an article about "three simple steps to determine risk tolerance." I personally find it a bit thin and light, but there are a few good pointers in it.

First - If you don't have a formal risk policy / assessment framework, put one in place. Informal methodologies don't work, are inconsistent and mask the issues rather than solve it. This includes who can assume the risks, and what the assumptions are.

Second - Categorize risks whether they are enterprise or business unit - wide, and delegate these risks accordingly.

Third - Document how disputes around risks / delegations are to be solved.