Going through the RA literature, you can see there exists several
options for handling risk, from treating, accepting, transferring, to
rejecting. Now I can understand the first 3 options, but can anyone
explain to me why management would chose to reject risk, even if it is
identified by the InfoSec group? Has anyone experienced this before?
Going through the RA literature, you can see there exists several
options for handling risk, from treating, accepting, transferring, to
rejecting. Now I can understand the first 3 options, but can anyone
explain to me why management would chose to reject risk, even if it is
identified by the InfoSec group? Has anyone experienced this before?
Thanks,
-Mohamad.
[ reply ]