Risk Transference

00:01

This is risk management information technology.

00:04

In our previous lessons, we discuss risk mitigation and avoidance as part of risk management.

00:09

Now we will be discussing risk transference as a management response to risk.

00:15

This lesson is about risk transference.

00:19

We will be discussing different risk transference scenarios and different examples of how this is done depending on the risk level.

00:28

Risk transfers is a common business solution.

00:30

The organization transfers the risk to another organization by outsourcing

00:35

this is similar to buying health or automobile insurance, but in this case the organization by the service to ensure mitigation of the risk,

00:44

this can cause significantly higher for the organization. In the long run,

00:50

with that in mind, let's talk about scenarios on how risk transference can be done in a small risk environment,

00:55

a medium risk environment or an enterprise setting.

00:59

The risk is determined as low if there is no significant loss when the threat is realized,

01:04

a medium sized risk is where there are substantial loss. When the threat is realized.

01:10

Enterprise level risk is geared towards large size businesses with 50 employees or more.

01:17

Here is an example for risk transference scenario

01:21

and organizations. High traffic website has been a target of a distributed denial of service attack or D does by a group of hackers extorting the company.

01:30

The site will go down for a few hours at the time during peak. That causes the business to lose customers and income.

01:38

The Ceo and CTO have been discussing other ways to deal with the Adidas

01:44

with low risk transference. We can purchase additional network devices that provide dDOS mitigation, such as load balancers in additional servers.

01:53

We could also transfer the risk by upgrading to new equipment with vendor support that guarantees the handling of Dido's.

02:00

We can also purchase additional security assessments from 3rd Party to eliminate blind spots

02:06

that provide guarantee and insurance

02:09

with medium risk transference. We can use the third party hosting company to host of website during an outage, which can absorb videos, attract traffic. This is common for high traffic websites.

02:22

Some hosting providers can identify boat traffic including unusual http requests and block those before a request attacks the website.

02:32

For enterprise risk transference. More sophisticated and expensive solutions are available, such as purchasing a service from DSP to identify and block ddos traffic to ensure legitimate customers are connecting to the web site

02:46

Online. 3rd parties, such as very sign and Cloudflare also offer similar services. Another solutions to purchase insurance for any losses stem from Adidas. If this is available,

03:00

here is another risk transference scenario.

03:02

The organization can no longer manage backups in the office,

03:06

But the auditors required to attention of 90 days worth of data for important documents, files and email.

03:12

The Ceo suggested to investigate authority of solutions for maintaining the backups

03:21

with low risk transference. We can hire a consultant to set up and maintain backups with a favorable contract agreement

03:31

with medium risk transference. We can purchase an online backup solution such as Box Wasabi or even AWS

03:40

for enterprise with transference personalized services such as Iron Mountain can come to our data center and take the backups and save it in their secure facility.

03:51

This can then be digitized, encrypted and maintain on their end

03:54

personalized service like these are expensive and cost prohibited for smaller and medium sized companies only mission critical data is usually start in this way

04:06

as you can see as we add more controls for risk transference. So does the cost of implementation.

04:14

Okay. Time for a quick quiz.

04:16

Which of the following is not a form of his transference.

04:20

Is it a purchasing insurance,

04:24

be outsourcing it security skills or C building an in house security team

04:31

and the answer is C

04:34

building an in house security team is not a form of this transference.

04:38

It means that you're actively engaging the acceptance of the risk and mitigating it.

04:46

Okay, next.

04:46

True or false.

04:48

Risk transference can cost significantly higher for an organization in the long run,

04:55

True

04:56

are false,

04:59

and the answer is true.

05:01

Personalized services can exponentially cost more than upgrading service.

05:06

More sophisticated services require expertise and consultants

05:11

staff has to be trained to maintain software

05:13

and the devices if it was purchased.

05:15

Vendor agreements can also increase in price year over year.

05:20

In summary,

05:23

we talked about risk transference or risk assignment, which can cause significantly higher for an organization

05:29

in the long run

05:30

and can include insurance or outsourcing of services.