Risk Management

Risk management is a detailed process of identifying factors that could damage or expose data, evaluating those factors, and implementing careful solutions for mitigating, or reducing, risk.

Risk Management In-Use

An organization may need to employ risk management strategies to mitigate and safeguard against cybersecurity threats. Cyber risk management can encompass the identification of risks, assessment of those risks, and the implementation of controls to reduce the risk.

Commonly Used Risk Management Frameworks

• NIST CSF: The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a voluntary framework which consists of standards, guidelines and leading practices to manage cybersecurity risk.
• ISO 27001: The International Organization for Standardization (ISO) publishes the leading international standard focused on information security known as ISO 27001. This is also a voluntary international standard.
• SOC 2: Systems and Organization Controls (SOC) 2 is a security framework that details how organizations should protect customer data. Organizations are not legally required to be SOC 2 compliant, however, many companies have outside auditors perform audits to show compliance with all the requirements.

Risk Management Strategies

The following four strategies are commonly used in cyber risk management.

• Acceptance: Acceptance occurs when the result after a cost/benefits analysis shows that the costs of prevention and protection would outweigh the possible cost of loss due to the risk.
• Mitigation: Mitigation is when controls and other preventive measures are used to reduce the level of risk facing an organization.
• Risk Transfer: Risk transfer occurs when one party shifts the pure risk from one party to another.
• Avoidance: Avoidance occurs when a party eliminates risks and hazards that can negatively affect an organization and its assets.