Information Risk Management: A practitioner’s guide

APPENDIX D INFORMATION RISK CONTROLS

It is often wrongly assumed that a single control of any kind is sufficient to resolve a risk. In fact, it is frequently the case that more than one control is required, and also of different types. It is conceivable, therefore, that a risk could be reduced by some means, leaving some level of risk that is shared with a third party before the residual risk is accepted. There are three levels of control – strategic, tactical and operational. Figure D.1 illustrates the overall structure of controls.

STRATEGIC CONTROLS

Strategic controls come in four flavours:

Avoid or terminate. Avoiding or terminating the risk can mean either stopping doing the activity, in which case there may well be some residual risk; ...

Get Information Risk Management: A practitioner’s guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Risk Management: A practitioner’s guide by David, Sutton

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly