A key part of Information security is the practice of protecting systems / data by mitigating risks.
The risk management process identifies risks, and for each risk the following is assessed:
- the likelihood of that risk being exercised.
- the impact that it will cause.
This process will result in a register of risks with a wide spectrum of 'level of concern'.
Its then a business decision, based on their appetite for risk, to decide how to address each risk – the options are:
- Avoid - is to resolve the risk so as to completely eliminate it.
- Accept - is to acknowledge the risk and choose not to avoid, transfer or mitigate … might do this if the assessed impact is small or the likelihood of it happening is remote.
- Transfer - is to move the risk to a third-party – perhaps take out insurance.
- Mitigate - is to do something to reduce the likelihood or impact of the risk.
This will be an iterative process, so that the results of ongoing monitoring are fed back into subsequent cycles of the process.
We can reduce risk – by doing the right things and this breaks down into four distinct categories.
- Secure by Design.
- Secure the Code.
- Secure the Environment.
- Secure the Operations.