Risk Response

00:00

Hello again and welcome to the eight C I s P p Certification course with Sai Buri. Risk response. My name is Shalane Hutchins.

00:11

Today we're going to cover risk, acceptance,

00:15

risk avoidance,

00:17

risk mitigation,

00:19

risk sharing or transfer

00:25

risk. Acceptance is a response to an identified risk

00:29

when the risk is within the organisations, risk tolerance

00:33

and accept it was can be low, medium or high depending on the situation.

00:40

High risk should not be regularly accepted. They should be remediated.

00:45

Critical risks must be addressed immediately and should never be accepted.

00:50

Any time a risk is accepted, it should be appropriately documented with accountability for who is accepting the risk.

00:58

Rece should only be accepted by senior leaders and or business unit leaders. However, before any risk is accepted,

01:04

it should be evaluated to ensure there are no downstream effects toe Other areas within the organization

01:11

except it risks should be reviewed on a periodic basis during the monitoring phase of the risk assessment process.

01:19

Organizational risk acceptance strategies

01:23

place the acceptance of risk into a framework of organizational perspectives on dealing with the practical realities of operating with risk and provides guidance necessary to ensure that the extent of the risk being accepted and specific situations is compliant with the direction of the organization.

01:41

Organizational risk acceptance strategies are essential companions to statements of respondents,

01:48

the objective of establishing a risk tolerance is to state in clear and unambiguous terms, a limit for risk. That is

01:57

how hard the organization is willing to go with regard to accepting risk to operations, assets and individuals.

02:08

Avoidance is another type of risk response.

02:12

All the risk response strategies organisational risk avoidance strategies may be the key to achieving adequate risk response.

02:20

The information technologies available used within common resource constraints are typically associated with issues related to their trustworthiness.

02:30

Therefore, the wise use of technologies is arguably a significant, if not most significant risk response.

02:38

The intelligent use of technology that make up the information systems in the organisation is a fundamental form of risk avoidance that is, organizations modify how technology is used to change the nature of risk being incurred.

02:54

I e avoid the risk.

02:57

Yet approaches such as the mandate to fully automate business processes can be in opposition with business desires.

03:07

Risk mitigation strategies reflect a perspective on what mitigations are to be employed and where they are able to be applied to reduce security risks, operations, assets and individuals.

03:23

Risk mitigation strategies are the primary link between risk management programs and security programs.

03:30

What the former covering all aspects of managing risk and the latter being a part of the risk response component of a risk management process.

03:40

Risk mitigation strategies are developed based on strategic goals and objectives, business requirements and priorities.

03:49

They provide the basis for making risk based decisions on information security solutions that are associated with an apply to information systems within the organization.

04:00

Risk mitigation strategies are necessary to ensure sufficient protection against growing threats to information stored, processed or transmitted within an organization.

04:13

The nature of Gretz in dynamic environments in which operations take place, demand flexible and scalable defenses as well, a solutions that can be tailored to meet rapidly changing conditions.

04:29

Effective risk mitigation strategies Consider the general placement and allocation of mitigations and the degree of intended mitigation.

04:39

They should reflect the design of the business processes with regards to information protection needs and security requirements.

04:46

They should reflect the design of architecture with consideration for realistic, achievable risk mitigation.

04:54

They should also be implemented consistently within the information systems environments and again should be highly flexible and agile to acknowledge diversity in the organization's business functions and dynamic environments in which they operate.

05:14

Risk sharing and transfer strategies both consider and take full advantage of a lessening of risk by sharing or transferring the potential impact across other interment, organizational elements or other external organizations.

05:31

Making the case that some entities are in fact holy, they transfer or partly they share responsible and accountable for risk

05:42

or risk sharing or risk transfer to be effective

05:46

risk responses. Um,

05:48

the impact on the local environment must be addressed by sharing or transfer

05:54

in addition to risk sharing or transfer activities must be carried out in according in accordance with intra and inter organizational dynamics and realities. Managing risk cannot be transferred from one business unit to another without business owners awareness or approval.

06:13

You may laugh, but I've seen it happen in an immature risk assessment program.

06:18

The most typical form of risk sharing or transfer

06:23

strategy is an insurance policy.

06:26

The insurance company takes on the risk cost associated with the loss to enable business or an individual to recover after the loss,

06:39

so in summary today. Recovered risk, acceptance,

06:43

risk avoidance,

06:45

risk mitigation

06:46

in risk sharing or transfer