CRISC Domain II Flashcards
Domain II - Risk Repsonse
What’s the purpose of defining a risk response?
To ensure the residual risk is within the limits of the risk appetite and tolerance of the enterprise
What is Risk Response based on?
-Selecting the correct, prioritized response to risk, based on the level of risk, the enterprise’s risk tolerance and the cost-benefit advantages of the selected risk response option
What are the risk management processes? Where does Risk Response fit?
- Identification
- Assessment
- Evaluation
- Monitoring
- Risk Response integrates with risk management processes
Risk Reponse ensure that management is provided what?
Accurate reports on:
- Level of risk faced by the enterprise
- Types of incidents that have occurred
- Any change to the enterprise’s risk profile based on changes in the (internal and external) risk environment
Risk should always be reported based on?
- The risk to the business,
- The ability of the business to meet its objectives and
- Risk to IT systems
When is the Risk Response triggered
When a risk exceeds the enterprise’s risk tolerance level
The prioritzation of the risk response and development of risk response plan is influenced by what several parameters?
- Cost of the response to reduce risk to within tolerence levels
- Importance of the risk
- Capability to implement the response
- Effectiveness of the response
- Efficiency of the response
What are the high-level risk response process phases?
- Phase 1: Review results of the risk analysis
- Phase 2:Select risk response options
- Phase 3:Prioritize the risk response options
- Phase 4:Implement the risk action plan
What should be done where the risk analysis shows risk is not within the defined risk tolerance levels?
Weigh projected risk versus the potential cost of implementing and maintaining controls and select the most appropriate response
What are the four key risk response options?
- Risk avoidance (avoid)
- Risk mitigation (reduce/mitigate)
- Risk sharing (share/transfer)
- Risk acceptance (accept)
Define Risk Avoidance?
Activities or conditions that give rise to risk are discontinued
Risk avoidance applies when?
The level or risk, even after the slection of controls, would be greater than the risk tolerance level of the enterprise
Provide Risk Avoidance examples?
- Not engaging in electronic commerce (e-commerce) to avoid the risk associated with the line of business
- Not engating in a very large project when the business case shows a significant risk of failure
- Not operating in some countries or regions due to safety concerns
What are some cases of Risk Avoidance?
- There is no other cost-effective response in reducing the liklihood and magnitude below the defined thresholds for risk appetite
- The risk cannot be shared or transferred
- The risk is deemed unacceptable by management
What is Risk Mitigation?
Actions are taken to reduce the likelihood and/or the impact of risk
What are the main control types in Risk Mitigation?
- Managerial (policies)
- Technical (tools like FW’s and IDS’s)
- Operational (procedures, SOD)
- Preparedness activities
Give Risk Mitigation examples?
- Strengthening overall risk management practices, such as implementing sufficiently mature risk mgmt processes
- Deploying new technical, management or operational controls that reduce either the likelihood or impact of an adverse event
- Installing a new access control system
- Implementing policies or operational procedures
- Developing an effective incident response and business continuity plan
What is Risk Sharing?
Risk impact is reduced by transferring or otherwise sharing a portion of the risk with an external enterprise or another internal entity