01. Risk Treatment / Risk Response Options

Question 1

Risk treatment / Risk response

Represents the actions that the organisation undertakes to reduce risk to an acceptable leve

Answer 1

Risk treatment

176

Question 2

Risk treatment / Risk response

4 risk treament options

Answer 2

1. Mitgation
2. Transfer
3. Avoidance
4. Acceptance

176

Question 3

Risk treatment / Risk response

Brining in an external competent firm to perform anorganisations risk assessment is the best solution to help identify…

Answer 3

unknown unknowns

176

Question 4

Risk treatment / Risk response

In an enterprise environment, not all risks can be mitigated or eliminated because…

Answer 4

there are not enough resources to treat them all

177

Question 5

Risk treatment / Risk response

A strategy is needed for choosing the best combination of solutions that will reduce risk by…

Answer 5

the greatest possible margin

177

Question 6

Risk treatment / Risk response

A security manager making risk treatment decisions runs the risk of others in the organisation…

Answer 6

not supporting their decisions

177

Question 7

Risk treatment / Risk response

A security steering committee making a decisions about risk treatment represents..

Answer 7

a consensus decision and often the best choice

When stakeholders are involved in risk matters, they are more likely to support decisions affecting them

177

Question 8

Risk mitigation

Involves the implementation of some solution that will reduce an identified risk

Answer 8

Risk Mitigation

177

Question 9

Risk mitigation

An orgnisation will usually make a decision about implementing some form of risk mitigation after performing a..

Answer 9

cost analysis to determine if the reduction of risk is worth the expenditure of risk mitigation

177

Question 10

Risk mitigation

Security managers need to monitor risk mitigation activities carefully to ensure that…

Answer 10

they are completed as planned and not forgotten about

178

Question 11

Risk mitigation

Controls and risk assessments are tightly coupled in the…

Answer 11

risk management lifecycle

178

Question 12

Risk Transfer

The means by which some or all of the risk is transferred to some external entitiy

Answer 12

Risk Transfer

178

Question 13

Risk Transfer

Risk trasnfer is selected when an organisation does not have the..

Answer 13

operational or financial capacity to accept the risk and when risk mitgiation is not the best choice

178

Question 14

Risk Transfer

Risk transfer typically works with only a portion of the risk and it does not..

Answer 14

reduce all of the risk

179

Question 15

Risk Avoidance

The process by which the organisation abandons the risk inducing activity, such as taking an asset out of service

Answer 15

Risk avoidance

179

Question 16

Risk Acceptance

A process by which an organisation finds the presence of a risk to be acceptable and determines that it does not require reduction or mitigation

Answer 16

Risk acceptance

180

Question 17

Risk Acceptance

2 conditions by which an organisation may elect to accept risk

Answer 17

1. Cost of risk mitigation is greater than the value of the asset being protected
2. Impact of compromise is low, or the value or classification of the asset is low

180

Question 18

Risk Acceptance

Once a risk is accepted, it should not be closed but should be reviewed at least…

Answer 18

annually

• Value of the asset or business might change throughout the year
• Threats might have changed throughout the year
• Cost of mitigation might have changed throughout the year

180

Question 19

Evaluating Risk Response Options

Factors for a risk manager to consider when evaluation risk response options

Answer 19

1. Cost and effectiveness of response option
2. Effectiveness of the control
3. Organisational structure/design
4. Governance
5. Culture

1. The value of an asset is less than the cost of the control to protect it
2. If implemented controls do not reduce risk to an acceptable level, is it worth it?
3. Organisational design and layouts divide the business - some departments may have more resources than others
4. Legal and regulatory requirements
5. Removing admin rights from people who complain as they do not want to give up what they had

Question 20

Cost and Benefits

Understanding the cost and benefits of risk mitigation helps the organisation to develope..

Answer 20

strategies that are more cost effective or result in greater cost avoidance

181

Question 21

Cost and Benefits

Organisations need to understaand several cost and benefit related considerations

Answer 21

1. Change in threat probability
2. Change in threat impact
3. Change in operational efficiency
4. Total cost of ownership (TCO)

1. A mitigating control changes the probability of threat occurance
2. The impact of a mitigated threat will change compared to a non mitigated threat, which brings a change in associated costs i.e. cost impact is less
3. Mitigating controls may add time contraints or limits on operational teams
4. The organisation understands the total cost of ownership from implementation, support, to end of life

181/182

Question 22

Cost and Benefits

A principle that is valid as a starting point for making cost-conscious decisions on risk mitigation

Answer 22

Proportionality

If an asset costs £10,000 but costs £20,000 to implement a control to reduce the risk, arguably it is not worth it.
If the asset however is integral to the process of the company making £100,000 revenue each day, this changes the balance in that the asset hardware value may not be much, but the asset value operationally is critical.

182

Question 23

Residual Risk

An element of risk that still exists after some of the risk has been removed through mitigation or transfer

Answer 23

Residual risk

182

Question 24

Residual Risk

Residual risk formula

Answer 24

Residual risk = Original risk - mitigated risk - transferred risk - avoided risk

182

Question 25

Iterative Risk Treatment

A mature way to approach residual risk is to…

Answer 25

analyse residual risk as if it were a new risk

Apply risk treatment and analsysis to the residual risk
One or more iterations of assessment may ultimately lead to the residual risk being accepted and the matter closed

183

Question 26

Risk Appetite, Capacity, and Tolerance

The level of risk that an organisation is willing to accept while pursuing its mission, strategy, and objectives before taking action to treat a risk

Answer 26

Risk Appetite

183

Question 27

Risk Appetite, Capacity, and Tolerance

the objective amount of loss that an organisation can tolerate without its continued existing being called into question

Answer 27

Risk Capacity

183

Question 28

Risk Appetite, Capacity, and Tolerance

The acceptable level of deviation in risk for a particular endeavor or business pursuit

Answer 28

Risk Tolerance

184

Question 29

Risk Appetite, Capacity, and Tolerance

The CISO is rarely the person making risk treatment decisions or being accountbale for that decision but is instead the…

Answer 29

facilitator of risk discussions that lead to risk treatment decisions

184

Question 30

Legal and Regulatory Considerations

In many cases, risk treatment decisions must abide by regulatory and legal requirements, including…

Answer 30

1. Mandatory protective measures
2. Optional protective measures
3. Mandatory risk assessments

1. Legal obligations to implement controls, whether the measure reduces actual risk or not - PCI DSS
2. Organisations can chose not to implement a specific measure, but would require a formal, valid business reason not to.
3. The mandatory requirement to conduct risk assessments, although does not necessarily mandate the neet to implement mandatory controls

185

Question 31

Legal and Regulatory Considerations

Any risk associated with any general or specific consequences of not being compliant with a law, regulation, or private legal obligation

Answer 31

Compliance risk

185

Question 32

Legal and Regulatory Considerations

Sometimes, executive management may chose to pay fines instead of bringing their organisation into compliance as…

Answer 32

fines or other sanctions may have lesser impact on the organisation than cost and effort ot be compliant

185

Question 33

RIsk Register

A business record that documents risks identified through risk assessments, risk analyss and other means

Answer 33

Risk Register

186