Risk is a hard one for me to delve deep into. I used to be a Product Manager for a Risk and Compliance software system, so some of the topics are just general business practice for me.
Eg an NDA is a risk management strategy, but that is just general business practice, if you are not signing an NDA then that is a risk in itself.
Other topics
Job Roles
It’s good to have job rotation, times away from the role to ensure that there is no systemic or malicious activity happening.
Separation of job roles - eg having separate person that makes payments vs setting up new vendors in your system, or have approval processes for setting up new vendors.
Clean desk policy - that is not specifically saying no paper on the desk, but being aware of the risk of all information when dealing with it.
Employees
Eg shutting down system access when they leave.
Onboarding policies.
Ensuring new employees are aware of any policies that are in existence, and ensure they understand them.
See Policies
Ensuring only limited access is granted within the probation period where possible.
Of course, if they are coming onboard as a system administrator, then they need the keys to the kingdom on day one, so that is a huge risk that you need to be aware of.
Ensuring keys and access passes are returned. This is predicated on having good systems to ensure that you know when people are joining and leaving the company. It is surprising how difficult this is for many orgs.
Networks
A huge area. Different if you just have a simple wifi network and use cloud apps vs having on premise servers.
Are you required to share network access with another company.
Is there any regulatory controls that impact your network operations.
Risk Documentation
Risk Response
Accept
Transfer
Eg Insurance
Avoid
Mitigate
Add Comment