We have many options with managing risk. In this video, you’ll learn about transferring risk, accepting risk, avoiding risk, and more.
An organization might use a number of different strategies to deal with risk. One of these strategies might be to transfer the risk. That means we move the risk under the control of a different party. A very good example of risk transfer would be the purchase of cybersecurity insurance.
Another alternative might be that the company simply accepts the risk. This is usually the most common course of action, and it allows the company to decide what they would like to do with that risk. There may be times when a company accepts the risk, and they do it by exempting their existing policies. There may be a case where a particular security policy cannot be followed, and so an exemption is required.
For example, an organization may have purchased a large piece of equipment used for manufacturing, and that equipment uses the Windows operating system. But the manufacturer of that equipment says that they do not support patching or updating the operating system on that device. That means that the monthly Microsoft updates could not be applied, but there is a company policy that says that every device must receive those patches. In that example, the company management may approve an exemption just for that device, provided the device is not connected to the network.
There might also be cases where the risk is accepted but there is an exception to the security policies you have in place. An example of this might be that the organization has decided that every device must be patched within three days of the patch being made public. But during their testing, the company finds that this month’s set of patches causes a critical software package to crash.
To resolve this conflict between the time frame required to patch and the patch being operational, the company can create an exception. In this example, the company may have an exception that allows them to wait more than three days so they can update their software to work better with these patches.
Another risk management strategy would be to completely avoid the risk. That means that there would not be a need to provide any additional risk management because that particular risk has been completely removed from the organization. And in some cases, we may be able to mitigate the risk. For example, if we’re concerned about risk coming from the internet, we may want to invest in a next-generation firewall, which mitigates some of the issues associated with that connectivity.
An organization may have tens or even hundreds of risks that need to be tracked. And one way to track these is through the use of risk reporting. This creates a list of all of the risks the company is tracking and allows for a description of each of those risks and how to handle them. This is a document that’s commonly referenced by upper management, especially the management that needs to make business decisions on what to purchase and how to handle these risks.
This is usually a document that is constantly updated, and it usually contains critical risks and emerging risks, especially those risks that should be considered by the management of the company when making additional business decisions.