ABSTRACT
The risk management approach starts with a complete understanding of the risk factors facing an organization. Risk assessments allow for security teams to design appropriate control systems and leverage the necessary technical tools; they also are required for insurance companies to properly draft and price policies for the remediation of harm. Assessments should include penetration testing of key enterprise systems and interviews with security and IT management staff. Because there are many different assessment for-mats, an enterprise should use a method that conforms to a recognized standard. Proper change management processes, security administration processes, and human resources controls and oversight, for example, are necessary. A mismanagement claim against a company’s directors and officers arising from cyber-events will generally be covered under the company’s directors’ and officers’ insurance policy to the same extent as a non-cyber claim. Again, if an organization uses outsourced facilities for application hosting and management, it should look for multilevel physical access control.
