Mitigating Information Security Risks

IT systems are a double edge sword. Not only do they increase employee productivity and reduce costs, they also increase risks as intellectual property and sensitive information are stored in a central location. Assessments can help organizations identify and manage risks.

Once risk areas have been identified, organizations have a number of ways to mitigate or reduce their risks:

• Risk Assumption. Accept the potential risk and continue operating the IT system or implement controls to lower the risk to an acceptable level. Administrative, physical, and technical controls help lower the organization's risks.
• Risk Avoidance. Avoid the risk by eliminating the risk and/or consequence. For example, bypass or eliminate certain functions of a system or shut down the system when risks are identified.
• Risk Limitation. Limit the risk by implementing controls that minimize the adverse impact of the risk. For example, implement preventive controls such as Intrusion Prevention Systems (IPS) that actively identify and restrict access to information.
• Risk Planning. Manage risks by developing a risk mitigation plan that prioritizes, implements, and maintains controls. Implement managed services to minimize risks.
• Risk Research. Lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
• Risk Transference. Compensate for the loss by transferring the risk to another party. In addition to securing systems, organizations have the option to insure against security breaches. For example, insurance can cover the cost of regulatory mandated notifications that a security breach has occurred as well as fines, fees, or penalties arising from privacy or consumer protection errors.

Risk assessments and network security audits help organizations identify, manage, and reduce their risks. Formal and documented policies ensure a top down approach to managing network security risks.