Most of the time the answer stems into one common issue – the company executives do not fully understand or aware so they end up accepting the risks whether they know or not!
Imagine a world were a concern stock holder for a large retail company investigated all quarterly board notes after a large credit card breach. And that stock holder found a document signed by the Board that was a contract accepting the risk of “not spend money to conduct an in-depth assessment on 3rd party contractor accessing internal systems Wouldn’t that be interesting!
Any project that has a major impact to the business should be documented in some way, at least. If the project cannot be funded, staffed, or not completed for any reason a Risk Acceptance Document should be on file signed off by Top Level staff or the Executive Board if one exists. This is not just a "CYA" form to protect someone's job once a Nation State decides to attack your company or a Cyber Criminal organization steals all of your customer credit card data and information. This is a process that integrates awareness into the Top level staff and/or Executive Board.
Once they are aware that they have to sign off for not approving something, they may take a deeper look. It is crucial that you sell the process to the executive level with a warm heart and purpose, more than a CYA hammer to just get shut down by the executives that have the real hammer. It is key to have a risk acceptance documentation process built into the budget request process for your company, department, and/or team. Have the processes already in place be your force multiplier!
Key Items to Include
Have a quick one page instructions/policy page explaining the document which should include the following:
- Purpose of form
- Definition of Items
- Point of Contact.
The Main Policy form should have the
- Map your Risk to a IT Security framework your department or Company adheres to, examples include: Top 20 CIS Critical Controls, NIST 800-53, Sarbanes-Oxley, HIPPA, PCI-DSS, etc. Note: If your company does not have a framework don't worry, just make sure to explain the next item in detail… try to include charts and unicorns!
- Explain the deficiency in detail and state the current threat, potential business impact and loss. This is where you would state the control deficiency based on your Company's desired controls framework.
- Explain the justification for acceptance i.e.no budget, no high priority by executive, etc. in a detailed efficient manner.
- Description of possible compensating controls and requests associated with implementing the control.
- Additional Remarks and Comments; try to include potential ROI or cost/benefit analysis that could be done to further document the business impact analysis.
- Then for
the main part of the policy, signature
and dates of the follow or who your Company thinks is best to include:
- Responsible Party (Executive of Business Unit)
- Director of Department(s)
- Head of IT Security (CISO)
- Head of IT (CIO)
- Board of Directors or CEO
- Risk Acceptance Expiration Date!!!! You need to have a date set to re-review these type of items.
The Primary Goal
Once the top level executives are more aware of what is getting thrown under the rug, the more they will start caring about investing to protect what makes their business grow and make money. It is your job to make them aware of the risks in a language they can understand, not their job; they hire you for that! If your company does not have that dedicated job role or enough staffing in that area, then you need to rally and attach to a process that already exist to help tell your story to the Executive level. Will this strategy solve all your problems communicating and documenting risk to the executive level? Not at all, this is just one of many. Give us a call, tell your story, we would be happy to steer you in the correct direction.
All this reading and good ideas, but remember the problem cannot solve itself, head over to our resource section for an example Risk Acceptance Instruction and Policy Form so you can get started immediately.