Risk Acceptance and Risk Rejection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 39 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:00
This is risk management and information technology.
00:03
In our previous lessons, we discuss risk mitigation, avoidance and transference as part of risk management.
00:10
Now, we will be discussing risk acceptance or rejection as a management response to risk.
00:18
This lesson is about risk acceptance and rejection.
00:21
We will be discussing different risk acceptance scenarios and different examples of how this is done depending on the risk level.
00:28
We will then discuss risk rejection and the next steps to calculate the residual risk.
00:36
1st. With risk acceptance,
00:38
management will accept the consequences of any laws from the threat when it is realized,
00:45
they understand the risk and determined that it is not possible for them to solve it in the present situation.
00:51
This can also happen if management has a high risk tolerance or high risk appetite, so they understand the risk and just take it as it is.
01:00
If this happens, it is important that the acceptance be taken in a clearly written form or agreement. Either electronically or physically.
01:11
A risk acceptance form indicates why safeguard or color measure cannot be implemented.
01:15
Reasons that management provide include the deprecation of software or planned migration to a later version of the equipment.
01:23
Another reason is the lack of budget for the remaining year. As implementation may take several resources, such as personal and time.
01:33
The form should also indicate who is responsible, decision and who approved it and that can be several departments or several managers in the chain of command.
01:42
Lastly, the forum should also indicate who is responsible for the loss. If the threat is realized,
01:49
the approval will accept any responsibility for the loss
01:52
when the threat is realized.
01:56
Here's an example risk acceptance form
01:59
note this section was outrageous. Indicated.
02:01
The summary indicates what risk is being accepted.
02:05
Then the form indicates what services are affected, which our business processes impacted when the threat occurs.
02:12
SRC saw will also chime in on the recommendation. The gravity of the risk when the threat is realized
02:19
and provides any other alternatives that are proposed to reduce the risk.
02:23
Any compensation security controls or vulnerabilities that can also stem from the risk is also indicated.
02:31
The risk assessment team indicates the likelihood of the risk occurring as well as the size of the risk. Whereas low, medium high,
02:39
then a list of signatory approvals by whomever accepts the risk completes the form.
02:47
Here's another risk acceptance scenario
02:50
And it's a common one
02:52
among most organizations.
02:54
There's an account password that is used by several applications that cannot be changed because it is hard good.
03:00
The application themselves have no further development and management decides to decommission the application the following year,
03:07
adhering to restricting and allowing safeguards of protecting the password.
03:12
In this scenario,
03:14
management understood the risk and accepts it.
03:17
It then sets up a project update to software end upcoming annual budget
03:22
I. T. V ads mitigating controls financial security of the password.
03:27
Here's an at risk acceptance scenario.
03:30
Management needs to decommission and in house application that uses java.
03:36
The cost of hiring developers, testing and implementing updates cost more than buying an off the shelf product available.
03:44
After considering the costs and benefits of the study
03:46
managers came together to discuss how to move forward since the support for the job version is obsolete.
03:55
Finally, risk rejection.
03:58
Risk rejection is a valid response of management that they believe that the risk is invalid and does not affect business operations.
04:05
If this occurs, if this occurs, the risk assessment team must calculate the residual risk
04:13
in this scenario. Management accepts the risk but sets up the line item to purchase and replace the existing software in the upcoming budget.
04:21
It helps by adding mitigating controls to ensure that existing application does not disrupt operations. By centralizing the management into third party solution such as Citrix or Windows VD.
04:34
To calculate for the residual risk, we calculate first the total risk, which is a number of threats, multiplied by a number of vulnerabilities, multiplied by the asset value.
04:46
Gender seizure risk is equal to the total A risk
04:48
subtracted by the number of control gaps which are the number of controls that have mitigation implemented or safeguards applied
04:57
time for a quick quiz,
04:59
which of the following is not a reason that management considers for risk acceptance.
05:02
Is it a management having a higher risk tolerance or appetite?
05:08
The
05:09
not arrived. The countermeasure
05:11
or c
05:13
considering the cost benefit of the countermeasure,
05:16
The answer is b risk acceptance does not consider any ri of the countermeasure.
05:24
Here's another
05:25
true or false.
05:27
Risk acceptance does not need accountability from someone within an organization.
05:30
Is this true?
05:32
Are false
05:35
and the answer is false. Risk acceptance requires accountability for the risk and this has to be documented and approved by the organization to accept that risk.
05:47
Well, last
05:49
to false
05:51
risk rejection triggers calculation of residual risk.
05:56
Is this true?
05:57
Are false
05:59
and the answer is true.
06:00
Risk rejection requires that the calculation of residual risk be calculated by the risk analyst.
06:09
In summary,
06:11
we talked about risk acceptance and looked at an example for him.
06:15
We talked about risk rejection and that when management chooses to reject the risk, it triggers residual risk calculation.
06:21
Thank you for completing this lesson. This is robert Ghana.
Up Next
Course Assessment - Risk Management and Information Systems Control
Assessment
30m