Information security risk management in a technology environment involves the identification, analysis, assessment, control, avoidance, minimization, or elimination of unacceptable risks.
An organization must choose four basic strategies to control risks such as risk avoidance, risk transference, risk mitigation and risk acceptance. Below these for basic strategies are explained in detail.
Risk avoidance is applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability. Risk avoidance can be achieved through training and education, and implementing technical security controls and safeguards. It can also be achieved through the use of policies. Risk avoidance identifies as many threats or vulnerabilities as possible and implement strategies to mitigate those threats, reducing the impact of an attack.
Risk transference is the shifting the risk to other areas or to outside entities. The overall goal is to allow someone else accept the risk. When looking at ways to transfer risk, I would evaluate things such as services. Many services can be outsources such as application services and IT services. An outside organization may be able to offer an experience in a certain areas to your organization that you simply cannot fill. Hiring an outside organization is transferring the risk to them for that development.
Risk mitigation is reducing the impact should the vulnerability be exploited. With risk mitigation it is the expectation that it is not a matter of if something happens, it is a matter of when. And when something does happen you want to have policies and procedures in place to mitigate that. These risk mitigation strategies include disaster recovery plans, incident response plans and business continuity plans.
Risk acceptance understands the consequences and accepts the risk without control or mitigation. There will always be risk. It is impossible to eliminate risk, so therefore there needs to be analysis of these things. This is achieved by determining the level of risk to the information. You also have to evaluate the probability of an attack verses the likelihood that that vulnerability will be exploited. Another way risk can be analyzed for risk acceptance is through evaluating the controls that are in place and ensuring that there are strong justifications for risk acceptance.