Almost every organization has something valuable in their IT-related systems – social insurance numbers, bank account numbers, controls over an electrical utility, product formulas, customer lists and so on.

Obviously, some systems or data are more important than others. Loss of some will bring the organization to its knees because it can’t function or its reputation has been damaged. Loss of other systems may merely be annoying for a short period.

An organization’s risk tolerance sets the policies and technologies it will adopt to mitigate the risk of such losses. But consultant Craig Shumard points out, it’s not easy to create a risk process – there’s no generally accepted template for creating one.

In fact because organizations are so different it has to be unique for each one.
In creating a risk tolerance model Shumard suggests are three steps to take: delegate someone to make security risk decisions, categorize whether risks affect the entire enterprise or business units, and document how issues are resolved.

For some organizations, unfortunately, this will be their beginning. But at least it will be a step.

Read the whole story here