Summary
A decision not to implement recommended security measures should be part of a thoughtful process, one that is equally robust as approving security projects or expenditures.
Issue
Large companies often issue security guidelines for individual business units, and not every security measure will make sense for every facility. Nonetheless, corporate leadership teams should receive clear documentation from individual facilities with detailed reasoning for why they’re living with risk as opposed to instituting a security recommendation or adhering to a company security standard.
Benefits
Vulnerability can arise if facilities are allowed to simply ignore recommendations or if no one is required to take responsibility for accepting security risk; and formal process for accepting risk helps to reconcile opposing recommendations from different factions (these may include a security committee, Human Resources, building designers, facility management, sales departments, and others).
Process or Approach
There are legitimate reasons why a company or facility may choose not to adopt a particular security measure, including funding priorities, competing requirements and standards, physical site or structural limitations, historical or architectural integrity, or a negative impact on adjacent structures. But if a facility is aware of a security risk, as well as a countermeasure that will reduce it, management personnel in consultation with legal counsel should clearly document a decision against implementation.
When a recommended security countermeasure is not implemented, an organization might clearly document answers to the following questions (as appropriate):
1. Why can the necessary level of protection not be achieved?
2. What is the rationale for accepting the risk?
3. What alternate strategies are being considered or implemented?
4. What opportunities are in the future to implement the necessary level of protection?
In all cases, project documentation must clearly reflect the reason why the necessary level of protection cannot be achieved. Corporate teams can formalize their process by requiring individual facilities to complete a document anytime they deviate from the organization’s standard security practices or when they do not implement a recommendation in a security audit. A “Risk Acceptance Justification Form” can help document the acceptance of risk might be documented. To see a sample form, refer to the .pdf version of this Enhanced Good Practice available in the download library.
Imperative
Risk acceptance is a perfectly permissible outcome of applying a risk management process, but it’s important for organizations to understand and document the rationale for accepting risk, and to not simply ignore security recommendations.