6.Risk Treatment Flashcards
Risk treatment
Input
A list of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks.
Action
Controls to reduce, retain, avoid, or share the risks should be selected and a risk treatment plan defined.
Implementation guidance
There are four options available for risk treatment information security risk management process:
Risk treatment options should be selected based on the outcome of the risk assessment, the expected cost for implementing these options and the expected benefits from these options.
A risk treatment plan should be defined which clearly identifies the priority ordering in which individual risk treatments should be implemented and their timeframes.
Risk treatment options should be considered taking into account:
— how risk is perceived by affected parties;
— the most appropriate ways to communicate to those parties.
The risk to organizations is failure to comply and treatment options to limit this possibility should be implemented. All constraints – organizational, technical, structural, etc. – that are identified during the context establishment activity should be taken into account during the risk treatment.
Once the risk treatment plan has been defined, residual risks need to be determined. This involves an update or re-iteration of the risk assessment, taking into account the expected effects of the proposed risk treatment.
Output
Risk treatment plan and residual risks subject to the acceptance decision of the organization’s managers.
Risk Modification
Action
The level of risk should be managed by introducing, removing or altering controls so that the residual risk can be reassessed as being acceptable.
Implementation guidance
Appropriate and justified controls should be selected to meet the requirements identified by the risk assessment and risk treatment. This selection should also take account of cost and timeframe for implementation of controls, or technical, environmental and cultural aspects.
In general, controls can provide one or more of the following types of protection: correction, elimination, prevention, impact minimization, deterrence, detection, recovery, monitoring and awareness. During control selection, it is important to weigh the cost of acquisition, implementation, administration, operation, monitoring, and maintenance of the controls against the value of the assets being protected.
Various constraints should be taken into account when selecting controls and during implementation. Typically, the following are considered:
— time constraints;
— financial constraints;
— technical constraints;
Risk Retention
Action
The decision on retaining the risk without further action should be taken depending on risk evaluation.
Implementation guidance
If the level of risk meets the risk acceptance criteria, there is no need for implementing additional controls and the risk can be retained.
Risk Avoidance
Action
The activity or condition that gives rise to the particular risk should be avoided.
Implementation guidance
When the identified risks are considered too high, or the costs of implementing other risk treatment options exceed the benefits, a decision can be made to avoid the risk completely, by withdrawing from a planned or existing activity or set of activities, or changing the conditions under which the activity is operated.
For example, for risks caused by nature it can be most cost-effective alternative to physically move the information processing facilities to a place where the risk does not exist or is under control.
Risk Sharing
Action
The risk should be shared with another party that can most effectively manage the particular risk depending on risk evaluation.
Implementation guidance
Risk sharing involves a decision to share certain risks with external parties. Risk sharing can create new risks or modify existing, identified risks. Therefore, additional risk treatment can be necessary.
Sharing can be done by an insurance that covers the consequences, or by sub-contracting a partner whose role is to monitor the information system and take immediate actions to stop an attack before it makes a defined level of damage.
It should be noted that it can be possible to share the responsibility to manage risk but it is not normally possible to share the liability of an impact. Customers usually attribute an adverse impact as being the fault of the organization.
