What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
The term “acceptable information system security risk” refers to the level of risk that an organization is willing to tolerate or deem manageable within its information systems. It represents the balance between the potential security threats and vulnerabilities an organization faces and the resources it is willing to allocate to mitigate those risks. Determining what is an acceptable level of information system risk is a complex process that involves various stakeholders within an organization. Senior management is able to offer an outlook into the overall risk appetite of the business. CISOs (Chief Information Security Officers) work in tandem with senior management in order to inform them of what is needed to minimize the company’s information systems risk, and the legal team helps ensure that the organization complies with legal requirements and industry-specific regulations. The combined knowledge from all of these groups helps an organization to determine what it deems an acceptable level of risk.
I quite agreed with the term you used ‘Tolerate or deem manageable’.In as much the impact of the risk to the organization is not catastrophic that will lead to major damage that will have multiple severe adverse effects on the organizational operations,assets,individual. when the impact analysis is carried out and the risk impact level is either Low or moderate is still manageable if proper risk management is applied.
Acceptable information security risk is defined as the level of the risk that has been regarded as reasonable scope of potential loss for a particular data. Acceptable information system security risks are achieved through the implementation of risk management system. Information security risks can be accepted depending on their level of impact on the organization (Low, Moderate or High impact). Risk acceptance is accepted by business management (business process owner) in collaboration with IT departments and it should be communicated to the appropriate stakeholders e.g., senior management and board of directors.
The organization determines an acceptable level of risks by knowing what is the most important to the organization, understanding the threat they care about and the control they have put in place to manage those risks. The organization can determine the acceptable risk level once they understand the issues that could disrupt business operations. The context of the risks in business needs to be understood before the risks can be accepted. Moreso the organization will have to identify the risks against the organization assets, assess the risks and rate them into Low. Moderate or high impact, then prioritize the risks, then decide if the risk is acceptable to the organization.
Identifying what is important to an organisation is a vital process in risk management, this is largely captured in the Asset Inventory from which risk assessment/analysis is done. The business impact analysis is also carried out on core/critical business operations. The results of these analyses can also be used by management to inform defining the acceptable level of information security risks.
The balance of resources to address the threats and vulnerabilities that inform what we call risks is a key decision management is responsible for. While there’s no one-size-fits-all to address this, it is important that this is defined clearly and communicated to all relevant stakeholders for proper implementation.
Hey Edge
I like your perspective, on the concept of “acceptable information system security risk.” You’ve captured the essence of how organizations approach this issue. Based on my experience conducting risk assessments is extremely important. Like patching and updating systems to address new vulnerabilities businesses should continuously reevaluate their risk profiles. This allows them to stay ahead in this evolving landscape.
The term “acceptable information system security risk” is referring to the amount of risk that is tolerated until steps are taken to apply an appropriate risk management strategy. The reason that a company is willing to accept a certain amount of risk is because there is only so much time and money they can spend on IT security risks and it would not be practical to attempt and mitigate every level of risk. For example, a company may except a low probability, low impact risk in order to allocate those resources to a more probable and more impactful risk.
Hello, it is true that a low impact risk can have some resources pulled away to something that may be high impact and high risk. The way an organization can determine that risk is involving a risk profile and coming up with the scenarios with high and low impact risk to determine where their resources should be allocated. It would also have to affect the companies mission, strategy, objectives, and available resources.
In an ideal world, we could fix every potential problem, however, often times we find that we are too busy and/or incapable of fixing everything. A similar principle applies with acceptable information security risk. Basically, if a company sees that there is not much risk associated with a certain part of their company, they will accept it and focus their efforts on more urgent risks. An organization would look at what is vulnerable, its level of importance, and what is the risk of it happening, if an organization finds that there is a low possibility of this information being stolen and its not information that is too important, its likely it will be categorized as acceptable information security risk.
Hi Hashem, I like your opening line, it speaks to the hard truth with all information risk: that you can’t fix everything. It really gets at the foundation of all of it, that the reason you need to assess risks so heavily is that you need to figure out which ones you can actually do something about or which ones really need to be figured out.
Acceptable information system security risk refers to the level of risk that a company deems reasonable in the context of its information security practices. Acceptable information system security risk indicates the potential impact of potential threats, vulnerabilities, and security incidents to determine what risk is acceptable to occur. Senior management like CEO, CFO and CIO have a huge role to define acceptable level of information. Also risk management team, board of directors, IT department have a significant role define acceptable level of information. To determine what is an acceptable level of risk is a very complicated process. They should specify first their goal, governance and guidance. After that to determine level of information system risk they need identify their risk and they need to analyze and priorate them. They need to define their risk tolerance and risk appetite.
Hey Eyup, one point that you mentioned that I liked was about how determining the the acceptable level of risk is a difficult process. Not only is it difficult because of all the steps that you listed, but it’s also difficult because there is always a level of uncertainty and the organization has to accept that level of uncertainty. I wonder if there has ever been a situation where a company had acceptable level of risk in a company and they lost their data in that one area? I also wonder if there have been areas that shifted, for example, what may have been considered acceptable level of risk is now something that needs to have extra attention on it.
You touched on a good point. But I think data breach or data loss should not be an acceptable IT security risk from a professional or ethical standpoint. I believe that if there is a shifted risk, the degree of risk should be changed and it should no longer be called acceptable.
The term “acceptable information system security risk” refers to the level of risk the organisation is willing and able to accommodate as defined and determined by the corporate/business strategy and other factors such as political, environmental, social and technological bound by the organisation’s resources, legal and compliance requirements, etc. The acceptable information system security risk also determines the risk response strategy the organisation adopts.
To determine the acceptable level of information security risk, the board of directors leads the committee of stakeholders of which the outcome is strategically executed by senior management by directing the functional/operations team for the tasks and deliverables.
The organisation determines this acceptable level of information security risks by considering its context, mission, vision, strategy and available resources. All of these and not limited to these serve as input into determining this.
Hi Ooreofe, Based on my time working as an IT, I find the explanation to be, in line with the approach commonly embraced by corporations. However, one aspect that seems to be emphasized is the challenges faced at the operational level. While strategic decisions are made by higher level executives it’s the teams that often bear the brunt of these choices in a way. It would have been valuable to include insights, from these teams and consider how real time events can sometimes require a reassessment of what risks considered ‘acceptable’.
Hello, you make a valid point the organization should consider its context, mission, vision, strategy and available resources should be made valid because without these points you’ve made it can be quite difficult to find out what should be deemed acceptable and not. The objective of the organization should also be considered when figuring out what should be acceptable risks because it can derail the company if the risk intervenes the organizations objectives and maybe its goals.
When discussing the concept of “acceptable information system security risk ” we are referring to the extent to which a company can tolerate risks. This is influenced by factors, including advancing technology, legal obligations, and broader global considerations such, as changes or environmental issues.
Typically, the board of directors of a company establishes their stance on risk. Below them a dedicated risk committee delves deeper into assessing details. The Chief Information Security Officer (CISO) is then responsible for developing security strategies based on these guidelines. Subsequently technical teams are assigned with implementing and overseeing these strategies.
To determine what level of risk is deemed ‘acceptable’ companies typically follow these steps.
1. Look into potential online threats and how likely they are to occur.
2. Discuss with various teams to get their insights.
3. Monitor what other businesses in the industry are doing. It’s smart to learn from them.
4. Stay alert; the digital landscape keeps evolving.
This process follows an approach that combines overarching decisions, cross departmental collaboration and regular updates.
Yes Yannick, very right about the steps you itemized, by following these steps, an organization can systematically determine acceptable risk levels and develop a robust risk management strategy to protect its interests and achieve its objectives
Hi Yannick, I agree with your process overall, but I think it is very important to consider the overall risk tolerance of the company you are working with first. As this allows you to better understand what they may consider to be a threat, and what things they may consider negligable.
1. The term acceptable information system security risk is the amount of risk that the organization is willing to handle if the outcome were to happen. If the company were to have a low impact risk on the organization and it wouldn’t damage the company in an extreme way that the company would shut down or have an extreme loss it would then be deemed acceptable. It mainly means that the risk is known and that it is there. The risk management/staff and board of directors of the organization are the ones that determine the acceptable level of information system risk if it abides by the policy of the organization. The organization would determine the acceptable level of risk by doing a process that eventually comes down to risk scenarios that will give the organization some insight as to how the business would be impacted.
The term “acceptable information system security risk” refers to the level of risk an organization is willing to tolerate in order to achieve its business objectives. The acceptable level of information system risk is determined by the organization’s senior leaders and executives, who are responsible for establishing the organization’s risk management strategy, policies, and oversight.Organizations determine acceptable levels of risk by following systematic processes that identify, analyze, evaluate, and address risks affecting their information systems and operations.