01. Risk Treatment / Risk Response Options Flashcards
Risk treatment / Risk response
Represents the actions that the organisation undertakes to reduce risk to an acceptable leve
Risk treatment
176
Risk treatment / Risk response
4 risk treament options
- Mitgation
- Transfer
- Avoidance
- Acceptance
176
Risk treatment / Risk response
Brining in an external competent firm to perform anorganisations risk assessment is the best solution to help identify…
unknown unknowns
176
Risk treatment / Risk response
In an enterprise environment, not all risks can be mitigated or eliminated because…
there are not enough resources to treat them all
177
Risk treatment / Risk response
A strategy is needed for choosing the best combination of solutions that will reduce risk by…
the greatest possible margin
177
Risk treatment / Risk response
A security manager making risk treatment decisions runs the risk of others in the organisation…
not supporting their decisions
177
Risk treatment / Risk response
A security steering committee making a decisions about risk treatment represents..
a consensus decision and often the best choice
When stakeholders are involved in risk matters, they are more likely to support decisions affecting them
177
Risk mitigation
Involves the implementation of some solution that will reduce an identified risk
Risk Mitigation
177
Risk mitigation
An orgnisation will usually make a decision about implementing some form of risk mitigation after performing a..
cost analysis to determine if the reduction of risk is worth the expenditure of risk mitigation
177
Risk mitigation
Security managers need to monitor risk mitigation activities carefully to ensure that…
they are completed as planned and not forgotten about
178
Risk mitigation
Controls and risk assessments are tightly coupled in the…
risk management lifecycle
178
Risk Transfer
The means by which some or all of the risk is transferred to some external entitiy
Risk Transfer
178
Risk Transfer
Risk trasnfer is selected when an organisation does not have the..
operational or financial capacity to accept the risk and when risk mitgiation is not the best choice
178
Risk Transfer
Risk transfer typically works with only a portion of the risk and it does not..
reduce all of the risk
179
Risk Avoidance
The process by which the organisation abandons the risk inducing activity, such as taking an asset out of service
Risk avoidance
179
Risk Acceptance
A process by which an organisation finds the presence of a risk to be acceptable and determines that it does not require reduction or mitigation
Risk acceptance
180
Risk Acceptance
2 conditions by which an organisation may elect to accept risk
- Cost of risk mitigation is greater than the value of the asset being protected
- Impact of compromise is low, or the value or classification of the asset is low
180
Risk Acceptance
Once a risk is accepted, it should not be closed but should be reviewed at least…
annually
- Value of the asset or business might change throughout the year
- Threats might have changed throughout the year
- Cost of mitigation might have changed throughout the year
180
Evaluating Risk Response Options
Factors for a risk manager to consider when evaluation risk response options
- Cost and effectiveness of response option
- Effectiveness of the control
- Organisational structure/design
- Governance
- Culture
- The value of an asset is less than the cost of the control to protect it
- If implemented controls do not reduce risk to an acceptable level, is it worth it?
- Organisational design and layouts divide the business - some departments may have more resources than others
- Legal and regulatory requirements
- Removing admin rights from people who complain as they do not want to give up what they had
Cost and Benefits
Understanding the cost and benefits of risk mitigation helps the organisation to develope..
strategies that are more cost effective or result in greater cost avoidance
181
Cost and Benefits
Organisations need to understaand several cost and benefit related considerations
- Change in threat probability
- Change in threat impact
- Change in operational efficiency
- Total cost of ownership (TCO)
- A mitigating control changes the probability of threat occurance
- The impact of a mitigated threat will change compared to a non mitigated threat, which brings a change in associated costs i.e. cost impact is less
- Mitigating controls may add time contraints or limits on operational teams
- The organisation understands the total cost of ownership from implementation, support, to end of life
181/182
Cost and Benefits
A principle that is valid as a starting point for making cost-conscious decisions on risk mitigation
Proportionality
If an asset costs £10,000 but costs £20,000 to implement a control to reduce the risk, arguably it is not worth it.
If the asset however is integral to the process of the company making £100,000 revenue each day, this changes the balance in that the asset hardware value may not be much, but the asset value operationally is critical.
182
Residual Risk
An element of risk that still exists after some of the risk has been removed through mitigation or transfer
Residual risk
182
Residual Risk
Residual risk formula
Residual risk = Original risk - mitigated risk - transferred risk - avoided risk
182
Iterative Risk Treatment
A mature way to approach residual risk is to…
analyse residual risk as if it were a new risk
Apply risk treatment and analsysis to the residual risk
One or more iterations of assessment may ultimately lead to the residual risk being accepted and the matter closed
183
Risk Appetite, Capacity, and Tolerance
The level of risk that an organisation is willing to accept while pursuing its mission, strategy, and objectives before taking action to treat a risk
Risk Appetite
183
Risk Appetite, Capacity, and Tolerance
the objective amount of loss that an organisation can tolerate without its continued existing being called into question
Risk Capacity
183
Risk Appetite, Capacity, and Tolerance
The acceptable level of deviation in risk for a particular endeavor or business pursuit
Risk Tolerance
184
Risk Appetite, Capacity, and Tolerance
The CISO is rarely the person making risk treatment decisions or being accountbale for that decision but is instead the…
facilitator of risk discussions that lead to risk treatment decisions
184
Legal and Regulatory Considerations
In many cases, risk treatment decisions must abide by regulatory and legal requirements, including…
- Mandatory protective measures
- Optional protective measures
- Mandatory risk assessments
- Legal obligations to implement controls, whether the measure reduces actual risk or not - PCI DSS
- Organisations can chose not to implement a specific measure, but would require a formal, valid business reason not to.
- The mandatory requirement to conduct risk assessments, although does not necessarily mandate the neet to implement mandatory controls
185
Legal and Regulatory Considerations
Any risk associated with any general or specific consequences of not being compliant with a law, regulation, or private legal obligation
Compliance risk
185
Legal and Regulatory Considerations
Sometimes, executive management may chose to pay fines instead of bringing their organisation into compliance as…
fines or other sanctions may have lesser impact on the organisation than cost and effort ot be compliant
185
RIsk Register
A business record that documents risks identified through risk assessments, risk analyss and other means
Risk Register
186
