Governance Part 4: Standards

We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.

The relationship between a policy and a standard is similar to the relationship between a vision and a mission:

PCI II: Criticisms of the PCI DSS

Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard.

Compliance: PCI in a very small nutshell

Disclosure
I am certified as a Payment Card Industry (PCI) Qualified Security Assesor (QSA). I am frequently paid to perform PCI audits, to advise people on how to fill out their Self Assessment Questionnaire (SAQ), and how to identify and remedy gaps in security that would prevent them from complying.

Previously, I’ve written about identifying risks and handling them. I’ve asserted, indeed my fundamental thesis in this blog, is that risk management is something everyone does; and that if done mindfully and consciously we live happier and better lives personally and professionally. That never means there aren’t complications and challenges to face, and today I’m writing about one of them.

It should come as no surprise that if everyone evaluates their own risks, different people come up with different risks and ideas about how to manage them.

Managing Risk Through Acceptance and Assignment

Last week, we looked at risk mitigation. If you do something to reduce your vulnerability to a threat, or the impact of that threat, the risk goes down. Your personal firewall, your anti-virus system, the lock on your front door, and the umbrella you carry when it looks cloudy out are all examples of risk mitigation. It’s a very popular way to manage risk, and literal billions of dollars of the economy are people the world over mitigating trillions of dollars of risk. Mitigation very nearly always costs money, and frequently it’s the most cost effective way to manage one’s risk, but there are others. Today we’ll take a short look at two of them: Acceptance and Assignment.

Risk Management: Risk Mitigation

Last week, I started talking about risk management by talking about how it relates to something as mundane as forgetting your car keys. I’m going to stick with that analogy as we discuss how to use risk assessment to understand whether you’re happy with the risk you have or if it’s worth spending some money to mitigate that risk.

Governance Part 3: Policies

In Part 2, we discussed the Missions, Visions, and Charters, which define a task, lay out an overall strategy for accomplishing that task, and authorize someone to do it. Today, we’ll discuss how policies tell everyone to execute the charter to accomplish the mission that realizes the vision. (If I can make this into a spoof of The Court of King Caractacus, why not?).

Humor aside, a policy is a high level statement from senior management to the enterprise describing how it expects everyone to conduct business.

Risk management example: my tire

I was going continue the governance series today by writing about policies, but I had the idea to use my last few days to show how theory turns into practice. In particular, how I think about and do risk management in day-to-day life. I’m sure you do the same thing, but call it by a different name. “Thinking things through,” perhaps. The really cool thing about it is that it takes longer to describe than to actually do – and if it’s that reflexive for some things, it can become reflexive for everything.

Meta: Comments now hosted at Intense Debate

I've set up the comments to use the Intense Debate system. This will add threading, a degree of cross-site identity continuity, and a number of other features to the system.

Risk Management: YOU Are a risk manager!

Risk management. Assessment, Vulnerabilities, threats, and impact. Mitigation, assignment, acceptance. If you don’t do security for a living, or do it as a purely technical activity, these can sound like terms from some arcane art practiced by Wizards, Sorcerers, Actuaries, and Mutual Fund managers. Today we start taking the mystique out of it and showing that it’s something nearly everyone does every day.