5 hours 58 minutes
welcome back to CyberRays is. Of course, I'm your instructor. Brad Roads. Let's jump into risk treatment options.
So in this video, we're gonna look at these areas. We're gonna look at risk avoidance, reduction, transfer, acceptance,
sharing and ultimately, residual risk.
So the first two are avoid and reduce. So avoid is pretty straightforward. We don't do the risk. We don't
we we avoid it on an avoidance of risk. Could be we stopped doing something. A process of technology, of people solution that is causing the risk. We avoid it, um, reducing risk when we reduce risk. That's where we employ controls to mitigate the risk, to bring it down to a more acceptable level for the organization
transfer and acceptance Well and transfer of risk. We simply delegated out to someone else that could be delegating it to an external organization. Let's say a vendor we hire right, we could be transferring that risk to somebody internal to the organization that is better at handling it. That's the delegation piece.
We could decide to accept it. We could look at the risk and say, You know what? That risk is so low
that we're just gonna live with it. Maybe it is a ah Web part that isn't worth fixing because it's a low risk item. Well, guess what? We If we accept that risk, that's okay. But as it sees, we need to advise our organizations on what does it mean when we accept a risk?
The last one from the standpoint of risk treatment options is sharing. And this is what we think about insurance. This is where we hand off or we pay for someone to explore and cover our risk for us. And so what does that mean? So when you're driving a car, right, you are doing risk sharing.
You are going toothy insurance provider.
You're paying a certain premium that says, Hey, I'm going to be a safe driver on. Based on that premium, you're going to get certain coverages for loss and stuff like that in the event of an accident. So following that analogy, if you do have an accident that your your fault, guess what your rates for that insurance go up.
Why? Because now there is less trust and sharing is all about trust, and so that that insurance provider says, well, you've had an accident that was your fault to plow through that fence? Well, guess what. Now you're gonna pay Mawr of the cost. You're still sharing that burden, but you're paying more of the cost. And that's what we talk about with risk sharing.
And then once we've done all of those risk treatment options, we've mitigated risks as best as we possibly can.
Right? We have residual risk. So there's a couple of things I want you to remember here. One you never have zero risk. Never, Never, ever. You might not have risks, but your organization will always have them or have some degree of risk. And so if somebody tells you that you can get to risk zero, that is not true,
right? Risk is managed with controls. That mitigation piece on DSO that's going to drive us to ah, residual risk. So when we apply controls across our risk space, right, we're gonna end up with some stuff left over what we're gonna talk about there and then our risk appetite, which is something unique to an organization.
Every organization is organic, they do things differently,
and what your organization is willing to accept is gonna be very, very individual
So once we've done all of our risk management processes and implied controls, we're gonna have residual risk. That residual risk is something we also have to manage and pay attention to. Like I said, risk is risk Management is a continual process. And so once we've identified that residual risk, we have to track it because it might change
the other thing that happens after we've applied controls
on done our risk management process. We may create secondary risks, and sometimes that reduction might create other risks that we didn't even think about. So, for example, let's say that I apply a mandatory access control using zero trust architecture er to a data source. Great. Well,
now maybe I've created a secondary risk
where access is Onley available on site in my organization. Well, that now I have folks, especially when we think about the the days of the pandemic that we're operating in today. Well, guess what? Now if folks have to come in, I've created a totally different secondary risk that I didn't think about, so that's important.
And so risk management is truly a whole list operation
that allows us to manage that that concerns for our organization to ensure that we reduce risk as much as possible.
So in this lesson, we looked at avoiding, reducing, transferring, accepting and sharing risk. Remember that insurance piece? And then we talked about residual risk and the fact that even when we get to residual risk cause we're never going to get to a zero risk, that never happens, right? We're gonna have to manage that residual risk and monitor throughout time because those residual risk may
We'll see you next time in our module summary.
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...