> Going through the RA literature, you can see there exists several
> options for handling risk, from treating, accepting, transferring, to
> rejecting. Now I can understand the first 3 options, but can anyone
> explain to me why management would chose to reject risk, even if it is
> identified by the InfoSec group? Has anyone experienced this before?
The strategy for treating risk belongs ultimately to Management. So it
is necessary to foresee all his possible reactios to risk analysis
results.
Obviously, the rejection is an insane, dangerous and
"head-in-the-sand" approach that can expose the organization to lot of
threats.
Conversely, some times the rejection become avoidance, that is the
management gives up to implement the specific application of service
in which the risk arises. That is dangerous for business but does not
increase the exposure.
> Going through the RA literature, you can see there exists several
> options for handling risk, from treating, accepting, transferring, to
> rejecting. Now I can understand the first 3 options, but can anyone
> explain to me why management would chose to reject risk, even if it is
> identified by the InfoSec group? Has anyone experienced this before?
The strategy for treating risk belongs ultimately to Management. So it
is necessary to foresee all his possible reactios to risk analysis
results.
Obviously, the rejection is an insane, dangerous and
"head-in-the-sand" approach that can expose the organization to lot of
threats.
Conversely, some times the rejection become avoidance, that is the
management gives up to implement the specific application of service
in which the risk arises. That is dangerous for business but does not
increase the exposure.
\bye
--
Paolo Ottolino
CCSE OPST CISSP-ISSAP CISA
--------------------------------------------------
ICT Senior Security Consultant
paolo.ottolino (at) gmail (dot) com [email concealed]
http://www.8linux.org
[ reply ]