Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our risk management concepts module on risk assignment and risk acceptance. Risk identification is where we determine risks that could effect our organization and document the characteristics of those risks. The total risk is the risk that exists before a control is put in place. The residual risk is the risk that occurs after we implement safeguards or countermeasures.
And the accepted risk is the risk that the company chooses to accept if they do not wish to implement a countermeasure, and they're basically choosing to live with the risk of a threat. We can use formulas to calculate risks when doing a quantitative analysis. For example, if we take the threat times the vulnerability times the asset value, that will give us our total risk.
And if we take the total risk times our controls gap, that will give us our residual risk. On this slide we will look at the total risk versus the residual risk. On the left side of the screen, we have our initial or inherent risk before we placed any controls in place.
You can see that the severity moves up from top to bottom. And the likelihood of the threat occurring moves up from right to left. So we have a threat that is in the high severity and high likelihood, a threat that is in the moderate likelihood and the moderate severity, and we have a threat in the low severity, but high likelihood.
These exposure areas are information integrity loss, availability loss, disclosure, ethics violations, or violation of regulations put in place based on our industry. Network impact, where our systems are taken offline, or even a financial impact where someone steals our money or one of our assets. On the right, we have our residual risk after we implement the controls.
You can see that we've moved most of our risks into the low likelihood and low severity. Although there is one risk that we've pointed out at the bottom that says this is accepted, we've chose not to place any controls on this particular risk and just accept the risk as it stands before implementing any controls.
In order to manage our risk appropriately we must take steps to reduce the risk. One of the most common actions we will take is to mitigate the risk to our organization. First, we have to be aware of the risk. Once we've completed our risk analysis our management staff should be well aware of our team's findings.
We should then offer a control to mitigate each of the risks. We must know the limits of these controls. Although a control can mitigate a risk, it may not be able to completely abolish the risk. It is nearly impossible to totally eliminate a risk. We should establish an acceptable amount of risk that we are willing to accept based on our management's risk tolerance, since there is always gonna be some residual risk even after implementing a control.
We should have contingency plans in case a control does not work properly and an incident occurs, there should be an action plan in place that employees can take to minimize the amount of damage that occurs. And we should have cyber incident response plans and disaster recovery plans. In the event of an incident, we're able to recover quickly, as well as respond to that incident and take steps to investigate the root cause and those individuals that may be responsible.
We have several appropriate responses to risk. First, we can mitigate the risk by reducing the risk or controlling it, such as by implementing cost effective counter measures. We can decide to accept a risk as long as we've performed a careful consideration and we've determined that what we could lose and what the cost of the control would be.
We can choose to live with the risk without implementing any counter measures. We can decide to transfer the risk by purchasing insurance or signing a service level agreement, or SLA, with a third party company to provide us with a service. Or, we can avoid a risk by changing the activity that causes the risk.
For example, if we have an increased risk of fire because employees are smoking outside our building, we can implement a smoke free campus policy. And totally ban cigarettes from being brought onto the property to avoid that particular risk. It is never acceptable to simply ignore a risk. It may be appropriate to decide to accept a risk after you've carefully considered the alternatives, but it is never acceptable to simply ignore a risk.
This is most likely something that you will see on the CISSP exam. You may be asked to provide appropriate responses to risk. It is appropriate to mitigate a risk, accept it, transfer it, or avoid it, but it is never acceptable to ignore a risk. This concludes our risk management concepts module.
Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!