The easiest way to treat a risk is not to.
Risk acceptance is perfectly reasonable in many cases where it would be too expensive or even impossible to mitigate a risk. Exposing a system to the Internet carries substantial risk and yet we do so because that's where potential customers are.
Who has the authority to accept risk? It's down to policy, ownership of systems and ultimately management structures.
Risk acceptance should be a conscious, documented decision and not just lack of action.
(some of) my events
- 2019-04-09--11 Operativ informationssäkerhet (teaching course, Stockholm)
- 2019-03-06--08 Strategisk informationssäkerhet (teaching course, Stockholm)
- 2019-01-29 Certifierad informationssäkerhetsarkitekt, del 1 (co-teaching course, Stockholm)
- 2019-01-10 Certifierad IT-arkitekt (guest lecturing, Stockholm)
- 2018-12-13 Datakommunikation och IT-säkerhet (guest lecturing, Högskolan i Gävle)
2013-03-01
Subscribe to:
Post Comments (Atom)
last chance...
