Summary
In this chapter, we learned that identifying and remediating risks is just a single component of the overall approach to cyber risk. We need to have the entire company involved when deciding whether to accept, avoid, mitigate, or transfer cyber risk. Evaluation and dealing with risk come from the top and push downward through the organization.
We also saw how evaluation of cyber risk must first be established by the ELT and BoD. They are the ones that must state what their risk tolerance levels are. Once these have been defined, EA will develop the policies and procedures ensuring that new or existing IT resources are architected in a manner that reflects the acceptable security posture required by the organization.
We learned that it is important to ensure that there is a feedback loop in the event that a particular control is not implemented as intended. This could be a one-off configuration error, or it could be more catastrophic in nature. This leads to unrealized...
