Sat May 17 10:29:53 PDT 2014

Risk Management: Surety matching: How should surety be matched with risk?


Options:

Option 1: Create standard risk and matched protection profiles and refine protection for systems and situations if necessary.
Option 2: Create a new standard for every encountered instance that is unique and reuse where feasible.
Option 3: Handle each system and situation as an independent risk management effort.
Option 4: Don't match surety with risk, create a set of rules and follow them.

Decisions:

IF Every system and situation is truly unique and risks are Medium to High, THEN Handle each system and situation as an independent risk management effort,
OTHERWISE IF Regulations dominate and minimal protection is desired, THEN Don't match surety with risk, create a set of rules and follow them,
OTHERWISE IF The program is not yet at the Defined maturity level, THEN Create a new standard for every encountered instance that is unique and reuse where feasible,
OTHERWISE Create standard risk and matched protection profiles and refine protection for systems and situations if necessary,

Basis:

Create standard risk and matched protection profiles and refine protection for systems and situations if necessary.

This approach defines a relatively small set of standard approaches that are defined for specific risk levels and situations, and then uses them wherever feasible to meet the needs of systems and situations. In exceptional cases, these profiles are modified to meet the need, and these exceptions are tracked as part of the overall management system and removed when feasible to keep the protection effort systematic and gain from the economy of scale associated with standard approaches.

Create a new standard for every encountered instance that is unique and reuse where feasible.

For enterprises that are not yet at a maturity level where they can or have defined standard approaches new standards can be created time after time and reused where feasible until the maturity level has reached a point where a limited number of standards can be uniformly applied on a wider scale.

Handle each system and situation as an independent risk management effort.

For enterprises with very high risks or where every system is truly unique from a protection standpoint, independent risk management can be carried out for each system, however; the costs are likely to be high and the risk management function far larger than it is for other comparable sized enterprises.

Don't match surety with risk, create a set of rules and follow them.

Many enterprises take a minimalistic stance for security and only follow mandatory protection requirements. These enterprises can often create sets of rules to follow that meet the minimal requirements and not perform any significant matching of surety to risk.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved