CRISC Domain II Flashcards
Domain II - Risk Repsonse
What’s the purpose of defining a risk response?
To ensure the residual risk is within the limits of the risk appetite and tolerance of the enterprise
What is Risk Response based on?
-Selecting the correct, prioritized response to risk, based on the level of risk, the enterprise’s risk tolerance and the cost-benefit advantages of the selected risk response option
What are the risk management processes? Where does Risk Response fit?
- Identification
- Assessment
- Evaluation
- Monitoring
- Risk Response integrates with risk management processes
Risk Reponse ensure that management is provided what?
Accurate reports on:
- Level of risk faced by the enterprise
- Types of incidents that have occurred
- Any change to the enterprise’s risk profile based on changes in the (internal and external) risk environment
Risk should always be reported based on?
- The risk to the business,
- The ability of the business to meet its objectives and
- Risk to IT systems
When is the Risk Response triggered
When a risk exceeds the enterprise’s risk tolerance level
The prioritzation of the risk response and development of risk response plan is influenced by what several parameters?
- Cost of the response to reduce risk to within tolerence levels
- Importance of the risk
- Capability to implement the response
- Effectiveness of the response
- Efficiency of the response
What are the high-level risk response process phases?
- Phase 1: Review results of the risk analysis
- Phase 2:Select risk response options
- Phase 3:Prioritize the risk response options
- Phase 4:Implement the risk action plan
What should be done where the risk analysis shows risk is not within the defined risk tolerance levels?
Weigh projected risk versus the potential cost of implementing and maintaining controls and select the most appropriate response
What are the four key risk response options?
- Risk avoidance (avoid)
- Risk mitigation (reduce/mitigate)
- Risk sharing (share/transfer)
- Risk acceptance (accept)
Define Risk Avoidance?
Activities or conditions that give rise to risk are discontinued
Risk avoidance applies when?
The level or risk, even after the slection of controls, would be greater than the risk tolerance level of the enterprise
Provide Risk Avoidance examples?
- Not engaging in electronic commerce (e-commerce) to avoid the risk associated with the line of business
- Not engating in a very large project when the business case shows a significant risk of failure
- Not operating in some countries or regions due to safety concerns
What are some cases of Risk Avoidance?
- There is no other cost-effective response in reducing the liklihood and magnitude below the defined thresholds for risk appetite
- The risk cannot be shared or transferred
- The risk is deemed unacceptable by management
What is Risk Mitigation?
Actions are taken to reduce the likelihood and/or the impact of risk
What are the main control types in Risk Mitigation?
- Managerial (policies)
- Technical (tools like FW’s and IDS’s)
- Operational (procedures, SOD)
- Preparedness activities
Give Risk Mitigation examples?
- Strengthening overall risk management practices, such as implementing sufficiently mature risk mgmt processes
- Deploying new technical, management or operational controls that reduce either the likelihood or impact of an adverse event
- Installing a new access control system
- Implementing policies or operational procedures
- Developing an effective incident response and business continuity plan
What is Risk Sharing?
Risk impact is reduced by transferring or otherwise sharing a portion of the risk with an external enterprise or another internal entity
Give examples of Risk Sharing?
- Taking out insurance coverage for disasters or incidents
- Outsourcing unique business processes
- Sharing project risk with other organizations through fixed prices arrangements or shared investment arrangements
What is an important note regarding Risk Sharing?
In both physical and legal sense this technique does not releive an enterprise of a risk
What is Risk Acceptance?
No action is taken relative to a particular risk; loss is accepted when/if it occurs
If an enterprise adopts a risk accpetance stance it should consider?
Who can accept the risk. It should only be accepted by senior business management in collaboration with senior management and the board
What is an important note regarding Risk Acceptance?
- Risk Acceptance is different from being ignorant of risk
- Accepting risk assumes risk is know and that an informal decision has been made by management to accept it
What must be considered when selecting any of the risk mitigation options?
- Goals and objectives of an enterprise
What is the “best in class” approach to risk response consideration?
Use appropriate technology along with appropriate risk mitigation options and nontechnical, administrative measures
What are the risk response selction parameters?
- Cost of response
- Importance of risk
- Capability to implement response
- Effectiveness of response
- Efficiency of response
What are the Risk Response Prioritzation Options?
- Quick win
- Business case to be made
- Deferral
What is a Quick Win prioritization option?
Very effective and efficient response that addresses medium to high risk
What is a Business case to be made option?
Requires careful analysis and management decisions on investments:
- More expensive or difficult risk responses to medium to high risk
- Efficient, effective responses to low to medium risk
What is a Deferal option?
Costly risk reponse to a low risk
A risk has been identified the enterprise’s IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become expensive. What is the response and the risk prioritization option?
Response:
- Major rearchitecuture and redesign of the existing system
- Purhase of a new, integrated system
Risk Option:
- Categorized as Business case to be made because of project cost
A risk of noncompliance with regulations is identified because a number of relatively simple procedures are missing. What is the response and the risk prioritization option?
Reponse:
- Creating the missing procedures and implementing them
Risk Option:
- Categorized as Quick Win because the allocation of existing resources or a minor resource investment provides measurable benefits
What is contained in a risk response plan?
- Steps, timelines, budgets, people and tools needed to implemente risk response strategy
Whare are risk response factors should be taken into account?
- Stakeholder interests
- Acceptance of change
- Balance of technical and nontechnical solutions
- Cost
- Impact on productivity
- Ownership of controls
- Ability to audit and monitor risk
- Regulations
- Changing market conditions
As part of a risk response, ongoing status of risk mitigation process must be tracked. How is this done?
- Tracking is often done using a risk register
Why is it important to use a risk register?
To ensure the risk response strategy remains active and proposed controls are implemented according to schedule
What happens when an enterprise is aware of a risk but does not have a justifiable risk response strategy or not following its strategy?
The liablity of the tnerprise to adverse publicity or even civil or criminal penalties increases
What should a risk practitioner always look to achieve?
Greater efficiency by integrating risk response options to address more than one risk
What iks the result of the use of techniques that are versatile and enterprisewide rather than individual solutions? Give an example?
- It provides better justification for risk response strategies and related costs
- Example: Deploying an access control system that supports more than one system
The implementation of IS controls should consider?
- Controls are tested prior to implementation whenever possible
- People are trained in the use of the tools
- A control owner is clearly identified and responsible for the control
- The control is measurable
- The control is monitored to ensure that it remains effective over time
What are the Phases of Risk Reponse Process?
- Phase 1: Articulate risk
- Phase 2: Manage risk
- Phase 3: React to risk events
Explain the Phase 1 of the risk response process and what it requires?
Phase 1 is Articulate Risk. Requires articulating (documenting and reporting) risk to ensure information on the true state of exposures and opportunities is made available in a timely manner and to the right people to enable the appropriate response
What are the tasks associated with Phase 1-Risk Articulation
Task 1: Communicate risk analysis results
Task 2: Report risk management activities and the state of compliance
Task 3: Interpret independent risk assessment findings
Task 4: Identify business oportunities
What are the steps to communicate risk analysis results? What Task is this associated with?
Step 1: Report the results of risk analysis in terms and formats useful to support business and risk mgmt decisions
Step 2: Coordinate additonal risk analysis as required by decision makers (report rejection and scope adjustments)
Step 3: Clearly communicate the risk-return context, including, wherever possible, probabilities of loss and/or gain, ranges, and confidence levels that enable managmenet to balance risk-return ratios
Step 4: Identify the negative impacts of events/scnarios that drive response decisions and possitive impacts that represent oportunities that mgmt should channel back into the strategy and objective setting process
Step 5: Provide decision makers with an understinding of:
- Worst case and most probable scenarios
- Due dilligence exposures
- Significant reputation, legal or regulatory considrations
- Associate with Task 1: Communicate Risk Analysis Results
What are the steps to Report Risk Management Acitivities and State of Compliance? What Task is this associated with?
Step 1: Meet the risk reporting needs of variouis stakeholders
Step 2: Apply the principles of relevance, efficiency, timeliness and accuracy to ensure strategic and efficient reporting on risk issues and status
Step 3: When reporting, include the following:
- Control effectiveness and performance
- Issues and gaps
- Remediation status
- Events and incidents
- Impacts of events and incidents on the risk profile
- Performance of risk management process
Step 4: Provide inputs to integrated enterprise reporting
- Associate with Task 1: Communicate Risk Analysis Results
