A question recently came up that left me wondering about organizational authority to accept risk or, more specifically, enterprise security risks. One of the less defined aspects of this important area I find in organizations is who in the organization has the ability to accept risk, and to what level. Very few organizations have defined threshold levels that classify the risks that individuals can and cannot accept on behalf of the organization. This can become important when you consider the decisions that staff, managers, directors and senior management make on a daily basis when there are no defined boundaries for risk acceptance.
It seems like such a short time ago that we formed the PCI Security Standards Council and embarked on our goal to improve payment security through increased awareness and adoption of the PCI Data Security Standard (DSS).