Information Technology Reference
In-Depth Information
process is flexible enough to accommodate corporate espionage, terrorists, kidnap-
pers, and other threats of intelligence and intent. Chapter 13 elaborates on a threat
schema and threat taxonomy.
5.4.3
Scope of Control
No amount of planning or investment will provide the organization with complete
control over all operational aspects. Therefore, the organization must prepare to
deal with aspects over which it has:
n
n
n
n
n
Direct control
Indirect control
No control
Inluence
Control response
When the organization has
direct control
of an asset or process, a risk can be iden-
tified, mitigation options examined, risk management measures implemented, and
operational adjustments made. Now consider that your organization provides 95 per-
cent of Company Y's revenue, and a risk in Company Y has been identified. Your orga-
nization has
indirect control
over Company Y's mitigation efforts. Your organization
has
no control
over electrical power supply interruptions due to natural events.
However, your organization may be able to
influence
its place on the power
company's power restoration priority list, thus limiting operational losses and
reducing expensive investments in power generators. Similarly, the importance of
your revenue to Company Y may give you a level of influence in that company's
approach to mitigating risk that may affect your organization.
This also exemplifies an organization's ability to
control its response
to situa-
tions over which it has no control. Perhaps it cannot control loss of power, but it can
control its response; choices include risk acceptance (
we're out of power so send every-
one home
) or risk mitigation through installing UPS (
we can control our response to
a loss of power by supplying our own power for a time
).
The point is to be aware of scope of control during the architectural process and
address risk governance and risk management from the proper perspective. Assign
accountability for risk mitigation appropriately and set expectations that although
not all risk management is under direct control, the organization does control its
response to risks.
5.4.4
E-Insurance
Chief executive officers (CEOs) make investments in risk management, not secu-
rity. Risk management options include risk acceptance, mitigate risk, share risk, or
