Who has authority to accept risk?

If the network infrastructure manager can deploy a new wireless technology to expand coverage of the network geographically, that person may create a security risk for the organization. While we know this manager has the capability to deploy the system, and may verbally accept the risk on behalf of the IT group, the question remains: do they have the authority to accept this risk on behalf of the data owners, lines of business and the overall organization?

Similarly, if a department manager refuses a budget request to fund a risk assessment project, one could argue that they are choosing to accept the inherent un-assessed risks of not completing the assessment. By not completing this risk assessment, new risks may be introduced into the organization, or previous mitigation countermeasures may be insufficient to mitigate a new or expanded threat in the environment. Does the department manager have the authority to accept this risk on behalf of the organization?

The problem here is a question of governance structure and the relationship to operational authority levels. There may be a disparity between those in the organization who have operational responsibility for activities and those who have the authority to accept liability on behalf of the organization.

If you are in an organization with this situation today it might be worth a conversation with your risk council, audit department or risk management department. There are options for addressing the issue, including aligning budget responsibility with authority to accept risk, better defining risk acceptance levels, and institutionalizing these programs throughout the organizations. It could be advantageous to simply promote a culture of not accepting risk without sign-off of a defined level.

That is, the ability to better align security risk acceptance levels with operational decision making will surely add clarity to the security risk management process in your organization.


30 SECONDS ON...  

What is it?
Proactively managing risk is a better approach to information security than simply reacting to incidents when they occur, says Mitch Tulloch, president of MTIT Enterprises, a Canadian IT content development company.

Help is a click away
Security risk management guides are available on the websites of Microsoft, the National Institute for Standards and Technology, the International Standards Organization, and the Computer Emergency Response Team.

A chosen few
A new report from McAfee, "International Perspectives on Information Security Practices," reveals that businesses are reliant on a limited number of specialists who can manage information risks and understand compliance.

Compliance incentives
Visa USA announced last month that it will offer $20 million in financial incentives and create new sanctions in an effort to further merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.