Risk Acceptance and Risk Rejection
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
This is risk management and information technology.
In our previous lessons, we discuss risk mitigation, avoidance and transference as part of risk management.
Now, we will be discussing risk acceptance or rejection as a management response to risk.
This lesson is about risk acceptance and rejection.
We will be discussing different risk acceptance scenarios and different examples of how this is done depending on the risk level.
We will then discuss risk rejection and the next steps to calculate the residual risk.
1st. With risk acceptance,
management will accept the consequences of any laws from the threat when it is realized,
they understand the risk and determined that it is not possible for them to solve it in the present situation.
This can also happen if management has a high risk tolerance or high risk appetite, so they understand the risk and just take it as it is.
If this happens, it is important that the acceptance be taken in a clearly written form or agreement. Either electronically or physically.
A risk acceptance form indicates why safeguard or color measure cannot be implemented.
Reasons that management provide include the deprecation of software or planned migration to a later version of the equipment.
Another reason is the lack of budget for the remaining year. As implementation may take several resources, such as personal and time.
The form should also indicate who is responsible, decision and who approved it and that can be several departments or several managers in the chain of command.
Lastly, the forum should also indicate who is responsible for the loss. If the threat is realized,
the approval will accept any responsibility for the loss
when the threat is realized.
Here's an example risk acceptance form
note this section was outrageous. Indicated.
The summary indicates what risk is being accepted.
Then the form indicates what services are affected, which our business processes impacted when the threat occurs.
SRC saw will also chime in on the recommendation. The gravity of the risk when the threat is realized
and provides any other alternatives that are proposed to reduce the risk.
Any compensation security controls or vulnerabilities that can also stem from the risk is also indicated.
The risk assessment team indicates the likelihood of the risk occurring as well as the size of the risk. Whereas low, medium high,
then a list of signatory approvals by whomever accepts the risk completes the form.
Here's another risk acceptance scenario
And it's a common one
among most organizations.
There's an account password that is used by several applications that cannot be changed because it is hard good.
The application themselves have no further development and management decides to decommission the application the following year,
adhering to restricting and allowing safeguards of protecting the password.
In this scenario,
management understood the risk and accepts it.
It then sets up a project update to software end upcoming annual budget
I. T. V ads mitigating controls financial security of the password.
Here's an at risk acceptance scenario.
Management needs to decommission and in house application that uses java.
The cost of hiring developers, testing and implementing updates cost more than buying an off the shelf product available.
After considering the costs and benefits of the study
managers came together to discuss how to move forward since the support for the job version is obsolete.
Finally, risk rejection.
Risk rejection is a valid response of management that they believe that the risk is invalid and does not affect business operations.
If this occurs, if this occurs, the risk assessment team must calculate the residual risk
in this scenario. Management accepts the risk but sets up the line item to purchase and replace the existing software in the upcoming budget.
It helps by adding mitigating controls to ensure that existing application does not disrupt operations. By centralizing the management into third party solution such as Citrix or Windows VD.
To calculate for the residual risk, we calculate first the total risk, which is a number of threats, multiplied by a number of vulnerabilities, multiplied by the asset value.
Gender seizure risk is equal to the total A risk
subtracted by the number of control gaps which are the number of controls that have mitigation implemented or safeguards applied
time for a quick quiz,
which of the following is not a reason that management considers for risk acceptance.
Is it a management having a higher risk tolerance or appetite?
not arrived. The countermeasure
considering the cost benefit of the countermeasure,
The answer is b risk acceptance does not consider any ri of the countermeasure.
true or false.
Risk acceptance does not need accountability from someone within an organization.
Is this true?
and the answer is false. Risk acceptance requires accountability for the risk and this has to be documented and approved by the organization to accept that risk.
risk rejection triggers calculation of residual risk.
Is this true?
and the answer is true.
Risk rejection requires that the calculation of residual risk be calculated by the risk analyst.
we talked about risk acceptance and looked at an example for him.
We talked about risk rejection and that when management chooses to reject the risk, it triggers residual risk calculation.
Thank you for completing this lesson. This is robert Ghana.
Course Assessment - Risk Management and Information Systems Control