Randy Payant, vice president and research director at the IPS-Sendero Institute, a risk-management education and training group in Scottsdale, Ariz., says risk management is a fourfold process:
Identify risk-prone areas. For example, in a supply-chain network accessed by your vendors, you'll need to locate every point of entry, servers, available applications and numerous other vulnerabilities. Once they are identified, you can determine the levels of risk your organization is willing to take at each point, such as whether you want to allow all employees at a given vendor in your supply-chain network access or only a select few.
Measure or quantify your exposure. How many ports can be accessed remotely? How many external users will there be? What levels of access will be permitted?
Limit the factors that contribute to risk. Reduce the number of people with access rights. Restrict hours of availability for systems.
Control your realm. Create and monitor IT procedures.