Three simple steps to determine risk tolerance

[InfoSec News <alerts () infosecnews org>]

http://www.csoonline.com/article/731833/three-simple-steps-to-determine-risk-tolerance-

By Craig Shumard
CSO
April 16, 2013

For CISOs, in addition to deciding what policies, processes, or 
technology an organization should have in place, an even more 
significant challenge is successfully negotiating disputed risk issues. 
But, the process for determining risk tolerance is fraught with 
organizational politics, and it goes without saying that each 
organization's circumstance needs a customized fit. When determining a 
process, the most important aspects to take into account include: how an 
organization decides on risk tolerance, security risk assumption 
decision-making, and who has the authority to assume security risks.


How to determine risk tolerance within your organization

Every organization has a risk tolerance model, ranging from a formal 
documented process to an undocumented process, or more often than not 
something in between. To solve the problem, first you need to determine 
where on this spectrum your organization lies.

Found in organizations with mature enterprise risk management (ERM) 
processes, a formal documented risk tolerance and assumption process 
clearly defines risk assumption authority level and specifies who can 
assume and sign-off on the risks. This process establishes a "governance 
procedure" and is often based on quantifying the risks and exposures. 
Even in these organizations, however, the ERM processes often do not 
adequately simplify the resolution of contested security issues.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org