IT Risk Management

Following the theme from my previous blogs, if you deal with client data, you must keep it protected.  Protecting data is a component of Risk Management.

There are five ways to typically deal with risk:

  • Avoid the risk
  • Implement mitigating controls
  • Transfer the risk
  • Accept the risk
  • Exploit the risk

Avoid the Risk:  Stop doing the things that create the risk.  For example, minimize the amount of client data you collect and store about your customers.  If there is data that you have, that you don’t need, purged it.  The more data you store the greater  your risk is.

Implement Mitigating Controls:  Implementing mitigating controls brings risk down to an acceptable level.  An example of a mitigating control is implementing a firewall.  Connecting a network to the Internet is a very risky proposition.  By placing a firewall and having a good end-point solution (virus protection and patch management), you are minimizing the likelihood of a cyber-threat doing damage to your network.

Transfer Risk:  Transferring risk is sometimes referred to as sharing risk.  Cyber insurance is a relatively new product.  Essentially transferring risk is buying insurance to protect against a loss.  Because cyber insurance is a new product, there is an inherent risk in selecting and understanding the differences in cyber policies.  A few things you need consider when selecting cyber insurance:

  • What controls must be implemented to maintain coverage?
  • What is covered and what is excluded?
  • What are the reporting requirements and timelines?

Accept the Risk:  Accepting risk is not as straight forward as it sounds.  In order to accept a risk, you must be able to articulate what you choose to accept.  You can’t just arbitrarily state it was too expensive or hard to deal with.  You must have enough proof on why it was unreasonable for your organization to not protect against a known threat.  A good risk assessment will help you justify how you spend resources to protect against risks.   A risk assessment should be performed on an annual basis or whenever there is a significant change.

Exploit the Risk:  Exploiting the risk sounds a little strange and it is outside most IT risk management frameworks (RMF).  Exploiting the risk is best explained with an example.  Imagine, you are a manufacturer coming out with a new widget.  You have invested in marketing, but you are not sure how successful sales of the new widget will be.  You have decided to take a conservative approach and produce only X number of widgets.  The risk here is if the widget becomes highly popular, you may not have enough widgets to meet market demand, but you go to market anyway.

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Jack Gerbs