8.Information Security Risk Acceptance Flashcards

1
Q

Information security risk acceptance

Input

A

Risk treatment plan and residual risk assessment subject to the acceptance decision of the organization’s managers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Implementation guidance

A

Risk treatment plans should describe how assessed risks are to be treated to meet risk acceptance criteria. It is important for responsible managers to review and approve proposed risk treatment plans and resulting residual risks, and record any conditions associated with such approval.

In some cases, the level of residual risk does not meet risk acceptance criteria because the criteria being applied do not take into account prevailing circumstances. For example, it can be argued that it is necessary to accept risks because the benefits accompanying the risks are very attractive, or because the cost of risk modification is too high.

Such circumstances indicate that risk acceptance criteria are inadequate and should be revised if possible. However, it is not always possible to revise the risk acceptance criteria in a timely manner.

In such cases, decision-makers can accept risks that do not meet normal acceptance criteria. If this is necessary, the decision-maker should explicitly comment on the risks and include a justification for the decision to override normal risk acceptance criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Output

A

A list of accepted risks with justification for those that do not meet the organization’s normal risk acceptance criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly