Topic 6 Flashcards
Risk management - controlling risk
What are the five risk treatment strategies discussed in this topic?
The five risk treatment strategies presented in this topic are defense, transference, mitigation, acceptance, and termination.
Describe the strategy of defense.
The risk treatment strategy of defense is the application of safeguards that eliminate or reduce the remaining uncontrolled risks.
Describe the strategy of transference.
The risk treatment strategy of transference is the shifting of risks to other areas or to outside entities.
Describe the strategy of mitigation.
The risk treatment strategy of mitigation is the reduction of a risk’s impact after a successful attack by preparing for its occurrence and the immediate actions needed to ameliorate the consequences.
Describe the strategy of acceptance.
The risk treatment strategy of acceptance is an understanding of the consequences and acknowledgment of the risk by the proper level of authority, without any attempt at control or mitigation.
Describe the strategy of termination.
Termination is the risk treatment strategy that eliminates all risk associated with an information asset by removing that asset from service.
Describe residual risk.
Residual risk is the “leftover” risk that is not completely removed, shifted, or included in planning.
What conditions must be met to ensure that risk acceptance has been used properly?
Risk acceptance has been used properly if the level of risk posed to the asset has been determined, the probability of attack and the likelihood of a successful exploitation of a vulnerability has been assessed, the annual rate of occurrence of such an attack has been approximated, the potential loss that could result from attacks has been estimated, a thorough cost-benefit analysis has been performed, controls using each appropriate type of feasibility have been evaluated, or it has been decided that the particular function, service, information, or asset did not justify the cost of protection.
What is risk appetite? Explain why risk appetite varies from organization to organization.
Risk appetite is the amount of risk an organization is willing to accept as it evaluates the trade-off between perfect security and unlimited accessibility. Risk appetite varies from organization to organization because of differences in their size, budget, culture, and the value placed on certain assets.
What is the difference between benchmarking and baselining?
Benchmarking is the process of comparing one’s company with other companies that are seeking the same results, whereas baselining is the process of standardizing a company’s own results.
