Risk Acceptance and Risk Rejection

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Risk Management and Information Systems Control

Course

Difficulty

Intermediate

Video Transcription

00:00

This is risk management and information technology.

00:03

In our previous lessons, we discuss risk mitigation, avoidance and transference as part of risk management.

00:10

Now, we will be discussing risk acceptance or rejection as a management response to risk.

00:18

This lesson is about risk acceptance and rejection.

00:21

We will be discussing different risk acceptance scenarios and different examples of how this is done depending on the risk level.

00:28

We will then discuss risk rejection and the next steps to calculate the residual risk.

00:36

1st. With risk acceptance,

00:38

management will accept the consequences of any laws from the threat when it is realized,

00:45

they understand the risk and determined that it is not possible for them to solve it in the present situation.

00:51

This can also happen if management has a high risk tolerance or high risk appetite, so they understand the risk and just take it as it is.

01:00

If this happens, it is important that the acceptance be taken in a clearly written form or agreement. Either electronically or physically.

01:11

A risk acceptance form indicates why safeguard or color measure cannot be implemented.

01:15

Reasons that management provide include the deprecation of software or planned migration to a later version of the equipment.

01:23

Another reason is the lack of budget for the remaining year. As implementation may take several resources, such as personal and time.

01:33

The form should also indicate who is responsible, decision and who approved it and that can be several departments or several managers in the chain of command.

01:42

Lastly, the forum should also indicate who is responsible for the loss. If the threat is realized,

01:49

the approval will accept any responsibility for the loss

01:52

when the threat is realized.

01:56

Here's an example risk acceptance form

01:59

note this section was outrageous. Indicated.

02:01

The summary indicates what risk is being accepted.

02:05

Then the form indicates what services are affected, which our business processes impacted when the threat occurs.

02:12

SRC saw will also chime in on the recommendation. The gravity of the risk when the threat is realized

02:19

and provides any other alternatives that are proposed to reduce the risk.

02:23

Any compensation security controls or vulnerabilities that can also stem from the risk is also indicated.

02:31

The risk assessment team indicates the likelihood of the risk occurring as well as the size of the risk. Whereas low, medium high,

02:39

then a list of signatory approvals by whomever accepts the risk completes the form.

02:47

Here's another risk acceptance scenario

02:50

And it's a common one

02:52

among most organizations.

02:54

There's an account password that is used by several applications that cannot be changed because it is hard good.

03:00

The application themselves have no further development and management decides to decommission the application the following year,

03:07

adhering to restricting and allowing safeguards of protecting the password.

03:12

In this scenario,

03:14

management understood the risk and accepts it.

03:17

It then sets up a project update to software end upcoming annual budget

03:22

I. T. V ads mitigating controls financial security of the password.

03:27

Here's an at risk acceptance scenario.

03:30

Management needs to decommission and in house application that uses java.

03:36

The cost of hiring developers, testing and implementing updates cost more than buying an off the shelf product available.

03:44

After considering the costs and benefits of the study

03:46

managers came together to discuss how to move forward since the support for the job version is obsolete.

03:55

Finally, risk rejection.

03:58

Risk rejection is a valid response of management that they believe that the risk is invalid and does not affect business operations.

04:05

If this occurs, if this occurs, the risk assessment team must calculate the residual risk

04:13

in this scenario. Management accepts the risk but sets up the line item to purchase and replace the existing software in the upcoming budget.

04:21

It helps by adding mitigating controls to ensure that existing application does not disrupt operations. By centralizing the management into third party solution such as Citrix or Windows VD.

04:34

To calculate for the residual risk, we calculate first the total risk, which is a number of threats, multiplied by a number of vulnerabilities, multiplied by the asset value.

04:46

Gender seizure risk is equal to the total A risk

04:48

subtracted by the number of control gaps which are the number of controls that have mitigation implemented or safeguards applied

04:57

time for a quick quiz,

04:59

which of the following is not a reason that management considers for risk acceptance.

05:02

Is it a management having a higher risk tolerance or appetite?

05:08

The

05:09

not arrived. The countermeasure

05:11

or c

05:13

considering the cost benefit of the countermeasure,

05:16

The answer is b risk acceptance does not consider any ri of the countermeasure.

05:24

Here's another

05:25

true or false.

05:27

Risk acceptance does not need accountability from someone within an organization.

05:30

Is this true?

05:32

Are false

05:35

and the answer is false. Risk acceptance requires accountability for the risk and this has to be documented and approved by the organization to accept that risk.

05:47

Well, last

05:49

to false

05:51

risk rejection triggers calculation of residual risk.

05:56

Is this true?

05:57

Are false

05:59

and the answer is true.