Waiver is a voluntary relinquishment by the Corporate Security department in cases where security safeguards or controls cannot be implemented and security risk has been accepted by business stakeholders/owners.
Information Security Program should be seen as risk-based and as such requires an effective Security Risk Management component. No security vision or program can be effective unless it is based upon a sound understanding of the pertinent security risks it is designed to control.
Successful Security Risk Management requires the identification, assessment, and management of current and emerging security risks that can cause loss or harm to persons, business operations, information, systems, or other assets.
Security Risk Management is the ongoing process of identifying risks and implementing plans to address them.
Establishing a Security Risk Management practice is mandated and/or strongly suggested by the following industry recognized governance' body-of-knowledge (i.e. frameworks, standards and Best Practices):
As a part of RSS Inc. Security Governance portfolio offerings, our team will help You establish a successful Security Risk Management practice. Our seasoned professionals have established Security Risk Management practices in various industry sectors from conceptual to implementation stages and they are in full compliance with our client's industry applicable requirements.
The following represents some sources of threats a company should be aware of:
Deliberate acts, carelessness or neglect by employees or outside individuals
New or changed business activities and processes
Flaws or weaknesses in technology or system design, implementation, operation,
or maintenance, especially in new or emerging technology
Internal factors, such as staff morale and organizational culture
External factors, such as crime rates, terrorism, war, insurrection, or natural disasters
New or changed legal or regulatory requirements
External public perception
The risk management process starts with identification of pertinent security threat; it should be then followed by a risk and impact analysis so that the assessed security risk can be managed by the following:
Risk Reduction - Implement security controls to lower the risk to an acceptable level
Risk Spreading - Share the risk by splitting assets up
Risk Transfer - Obtain insurance to cover the risk
Risk Acceptance - Accept the risk because it is tolerable
Risk Avoidance - Change the business to remove the cause of the risk
Combinations - All or several of the above
During the engagement, RSS Inc. team will help Your Company establish the following security risk management components:
Corporate Risk Appetite identification and levels
Ongoing security threat identification
Outcomes and Recommendations
Risk Acceptance and Waiver process
Furthermore, our team will help You establish
a centralized repository that will contain the following:
Identified Security Threats
Security Risk Analysis and Outcomes
Risk Acceptance Forms
RSS Inc. team will work in tandem with our client assigned team throughout the entire engagement thus ensuring the knowledge sharing.
There are times when companies do not have the resources or internal knowledge to develop a Security Risk Management. By engaging the RSS Inc. team for short-term outsourcing assistance, it will enable companies to utilize seasoned professionals to establish practice that will provide the planning basis for making sound risk management decisions, used in forgoing investment capital or technology. By bringing the external experience to the table, our clients will be in the position to shorten the information security governance maturing phase.
Successful Security Risk Management will provide an ongoing monitoring of security control' effectiveness and recommend improvements or new controls that will manage risks to corporate acceptable levels.
An additional benefit experience is the creation of a centralized repository where all identified security threats, risks, risk acceptance forms, and waivers are stored so that information is disseminated to all relevant stakeholders.
RSS Inc. team will provide mid and long-term plans containing milestones for implementing Security Risk Management practice and related processes.