Actions to Address Risks and Opportunities Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 4.9 point three
00:04
Actions to address risks and opportunities
00:07
Close 6.1 point three Information Security risk treatments
00:14
In this video, we're going to cover the risk treatment methods,
00:18
and we'll also have a look at the mandatory documentation for this clause.
00:27
Generally, there are four main types of risk treatment options
00:32
in the risk evaluation section. We spoke quite a bit about risk acceptance. This is the first method of risk treatment.
00:40
You accept a risk
00:42
when a risk is at a level
00:44
that falls within your acceptable risk tolerance levels.
00:49
For example,
00:50
if your organization has established that it will accept all risks under a Level two,
00:57
as well as risks
01:00
that will not exceed
01:02
a 10% off the
01:06
replacement acid cost to fix
01:08
whatever
01:10
the cases
01:15
Thesiger treatment option is mitigate.
01:19
This is one of the most common
01:21
risk treatment options,
01:23
as this generally involves the implementation, off controls
01:26
or the improvement of existing controls.
01:30
You can have one or multiple controls to mitigate a risk.
01:37
Mitigating the risk seeks to either reduce the likelihood off the risk occurring
01:42
or reduce the impact off the risk occurring
01:47
or reduced. Both the likelihood and the impact of the risk occurring.
01:53
The next treatment option
01:55
is to avoid the risk.
01:57
This means that whatever activity is associate ID with that risk or would give rise to the risk
02:05
that would be stopped entirely,
02:07
meaning it is too risky to use a cloud service provider, for example. So therefore, we won't use a cloud service provider. We would rather do everything ourselves and keep all information that we need in house,
02:22
not leverage off any external platforms.
02:27
The fourth risk treatment option is to transfer a risk.
02:31
The most common example of this is to take out insurance.
02:37
This does not get rid of the risk.
02:39
The risk is still yours. At the end of the day, you cannot transfer the ownership accountability for the risk.
02:47
You can only transfer
02:51
the impact
02:52
off the risk. Occurring
02:55
insurance would pay you out a compensating fee for a security incident,
03:00
which would make it easier for your organization to recover and manage that incident.
03:07
Another option in transfer
03:10
is to use a specialist third party for a specific service.
03:16
For example,
03:19
you want to perform penetration tests in your organization,
03:23
but it is too risky for you to do yourself as you do not have the qualified personal in house.
03:30
Therefore,
03:30
you will transfer that risk and get a third party in to perform those assessments for you.
03:37
This in itself can present different risks, but probably with different scales and ones that would fall within your acceptable
03:45
risk levels.
03:46
So what is the documentation that is required for close 6.1 point three?
03:53
The standard is not prescriptive about what your documentation needs to look like or how it needs to be done. That part is up to you,
04:01
but there are a couple of things that are required to be documented in some way off.
04:08
The first document that you will have
04:11
outlining your controls is the statement of applicability
04:14
as discussed previously.
04:15
These are all the controls you have deemed relevant and necessary to manage information security within your organization.
04:24
It is important that controls which are not applicable to your environment
04:28
are explicitly justified as to why they are not applicable
04:32
in the same sense. The controls that are applicable should be justified through a reference to your initial risk assessment.
04:41
This shows a justification of the controls as each control is associated to a specific risk
04:46
and works to mitigate the risk in some way,
04:49
strength through effectiveness. Off the control determines how much a risk is mitigated.
04:55
That is a determination to be made by your organization. During the initial risk assessment,
05:00
I saw a 27,001
05:03
recommends using the ISO 27,002
05:06
or an extra A
05:08
for the controls framework upon which to base your statement of applicability.
05:13
You can, of course, use any of the available controls frameworks
05:16
such as in a special publication 53.
05:19
The ISF standard of good practice privacy laws is a 23 22 3 or one, etcetera.
05:28
So why is this statement of applicability required documentation for floor 6.1 point three?
05:33
This shows the applicable controls with links to items on the risk register.
05:40
It also shows non applicable controls with justification.
05:46
The statement of applicability shows
05:47
that existing controls have addressed some or other risk in some way off
05:56
your risk treatment process. The ways in which you go about treating risks should be documented
06:02
as you assign different risk owners that are not necessarily part of your direct I sem s team or even have an information security background
06:12
should be equipped with the appropriate knowledge
06:14
guidelines of hard to properly treat risks.
06:18
This can include the methods that need to be employed. Example controls contact people to work with and so forth.
06:28
The risk treatment plan is the key piece of documentation that comes out of 46.1 point three
06:34
for every risk that needs to be treated,
06:39
specifically requiring a mitigation
06:42
or a chance for level of treatment. This would come through into your risk treatment plan.
06:48
Risks that have been accepted
06:50
and avoided
06:53
should also be documented in the risk treatment plan. But these will obviously require a lot less documentation and if it around them,
07:01
the risk treatment plan should contain plans for treating risks within the set due dates.
07:09
The plan should also contain the owners or the responsible teams or personal
07:13
that will oversee the achievement efforts.
07:16
It is also a good thing to include progress updates in the plan
07:21
to show that the risk treatment process has been monitored closely
07:27
in regular progress updates fit into the plan.
07:31
You're probably also generate stand alone reports on your progress.
07:35
This will include various metrics to prove that risk treatment is being regularly tracked and acted upon.
07:43
This would be presented at somewhat other forum to your top management
07:46
for your information security management for him
07:49
just to report back on results, and if any support or deviations have occurred,
07:56
then this would need to be presented here.
08:01
In this video, we covered the full main types of risk treatment actions
08:05
and what each one means.
08:09
We also looked at the mandatory documentation for risk treatment, as required by the ISO 27,001 standard.
Up Next