Client - Auditor reported this issue
Vendor - That is within your risk appetite limits and risk mitigation controls are already in place. It will not impact your business and it will not cause any breach.
Client - So you are telling me that you have been selling us a product with security issues?
Vendor - !!!!???
Sounds familiar :)
Risk management is often considered as fixing every issue and managing all the risks associated . Final expectation is a clean compliance/audit report.
An organization with a good practical security policy will have,
Patch update policy - Once every week and immediately incase of a major patch release
Back up Policy - That outlines a good data back up practice - Once every day/ week/month depending on the criticality of the database.
Database protection policy - Outlines how to protect database through encryption , shuffling, suppression etc..
Probability of ransomware attack is minimal in this case, In case if it happens business can resume its operations with minimal downtime because,
An organization's ability to withstand an attack with minimal impact is considered as it's risk appetite. Anticipating the risk and understanding the impact is risk acceptance. Implementing controls to reduce the risk and bringing it down so that the impact is close to the upper limit of risk appetite is risk tolerance.
A successful risk management program must be designed around
Risk Acceptance
Risk Tolerance
Risk Appetite
Comments