Monday, November 24, 2014

Formal Risk Acceptance


The Security Executive's Ultimate Tool

I recently met with seventy-five chief information security officers.  I was reminded that they are staff, not line, executives.  Their authority is limited. They do not own the assets to be protected nor do they have the authority and discretion to allocate resources to that protection.  While they can propose standards and guidelines, they usually do  not have the authority to mandate or enforce them. They can neither reward nor punish.

The real work of protecting assets rests with the managers who are responsible for those assets, for allocating them, for prescribing how and by whom they may be used.  As much as we might wish that it were otherwise, the responsibility for protecting assets cannot be separated from the discretion to use them, from "ownership."

Yet when things inevitably go wrong, when systems are breached, data leaks, or applications fraudulently used, it is likely that the staff executive will be held accountable, not to say lose his job.  There are a number of tools available to the staff executive including persuasion, awareness training, standards, guidelines, measurement, and reporting.  Another, and the subject of this blog, is formal risk acceptance.  It is the staff security executive's measure of last resort.

There are three things that management can do with risk.  They can mitigate it, accept it, or assign it to others through insurance.  Unfortunately risk acceptance is often 'seat of the pants" and without accountability.

Formal risk acceptance is a process in which the risk is documented by staff, usually security staff, and accepted by line management.  The expression of the risk may refer to policy, standards, guidelines, or other expressions of good practice.

Documentation of risk will usually involve some negotiation so that the accepting manager understands the real risk, the description or expression of it, and the alternatives to accepting it. Therefore, this negotiation may involve some reallocation between mitigation and acceptance.  As these negotiations proceed, the manager's understanding of the risk and his options will improve and may result in choices that were not apparent when the negotiation began. The document should also describe and price all alternatives to acceptance that were considered. Note that sometimes a risk is accepted in part because it is believed that it is cheaper to mitigate it late than early.

The manager who accepts the risk must have the authority, discretion, and resources to mitigate the risk if he chooses to do so.  This test is necessary to ensure that the risk is accepted by the right manager or executive.  Said another way, risk should be accepted by a manager or executive who could implement one of the alternatives if he or she preferred.  It should not be accepted as a forced choice.

Risk acceptance decisions have to be revisited periodically.  Therefore, they are finite, they expire.  Often, the risk acceptance is part of a plan to tolerate the risk for a fixed period of time but mitigate it before a time certain in the future, for example in ninety days.  In such cases, a plan scheduled date for the mitigation becomes the expiration date.  Where there is no plan, the acceptance should expire after a term set by policy, usually one year.  This insures the decision will be reviewed periodically.  Managers should understand that risk acceptance is not the same thing as risk dismissal or ignoring.

Finally, risk acceptances should expire with the authority of the accepting manager or executive. When a manager's tenure ends, for whatever reason, all risks accepted by that manager must be revisited and re-accepted.  This will usually be by the manager's successor.  However, in the case of reorganization the risk acceptances may be distributed across multiple other managers.

Staff should keep track of all outstanding risk acceptances, ensure that they are revisited on time. measure whether in the aggregate they are increasing or decreasing, and report on them to higher management.

While, as a matter of fact and by default, a manager does accept any risk which he fails to mitigate or assign, some may be relcutant to document the fact.  In such cases, the staff should escalate.  In any case, the risk must be documented and shared with higher management.

Special attention should be given to audit findings.  While some of these may result from oversight, some may result from decisions taken but not documented.  Note that auditors are rarely in a position to assess the risk associated with their findings.  Therefore, risk assessments should be documented for all their findings and used in the planning process as to what to do about them.  Risk acceptances must be documented for any findings that will not be mitigated before the next audit.  Auditors may want to attend to whether cumulative risk is going up or down.