Define Your Organization's Risk Tolerance (Part 2 of 7: Mitigating Risks of Unsupported Operating Systems)
Risk tolerance--the amount of risk an organization is willing to accept--should be part of your organization's comprehensive risk management program. In this post, I describe how your organization can define its risk tolerance.
Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.
An organization must understand and quantify its risk using a well-defined risk management program. To quantify these risks, you must identify the financial impact of potential breaches, including estimating the cost of cleanup and the potential loss of productivity.
You can use tools and frameworks to define your organization's risk management program. One framework is CERT OCTAVE, which describes an organization's risk tolerance, identifies assets critical to its mission activities, identifies potential vulnerabilities and threats, and evaluates the consequences if the threats are realized.
The NIST Risk Management Framework (RMF) is another framework that helps an organization gauge its acceptance of risk to its operations and assets. The RMF enables you to continually manage your operational risk. While there are other frameworks and tools to consider, OCTAVE and RMF used together provide a comprehensive approach to risk management.
Defining your organization's risk tolerance drives decision making related to risk management. It's the responsibility of your senior leadership to define the organization's risk tolerance and implement it as part of its risk management plan.
Risk management planning, a key part of your organization's governance, should define the appropriate level of protection and sustainment activities at the lowest possible cost. Resourcing and funding decisions related to activities, tools, and personnel should be based on your organization's risk tolerance to appropriately manage its risk.
What You Can Do
- Annually identify the financial impact of potential breaches.
- Use tools and frameworks (e.g., OCTAVE and RMF) to define your organization's risk management program.
- Advocate that senior leadership define your organization's risk tolerance as part of its risk management plan.
- Ensure that resourcing and funding decisions align with your organization's risk tolerance.
For more information about risk tolerance in your organization, see OCTAVE Allegro, Managing Information Security Risk (NIST SP 800-39), or the SEI website.