More Details about Risk!!
If you missed my previous article about the basics of risk management, then do visit it once.
In my previous blog, I mentioned that All the elements like vulnerability, threat, threat agent, impact, likelihood combine to make fundamental parts of risk. Risk can be described with different definitions within the security community. On one hand, the risk is a relative level of danger or harm to an asset. It’s also sometimes defined as the likelihood of a negative event happening to an organization and impacting its business operations. Another way of saying it might be the likelihood of a threat exploiting a vulnerability, causing an impact to an asset.
Terms Associated With Risk
Inherent risk
Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.
Residual Risk
Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.
Risk Culture
It is the way in which the organization as an entity feels about and deals with risk. This culture is developed from several sources.It can come from the organization’s leadership, based upon their business and management philosophies, attitudes, education, and experience. It can also come from the organization’s governance.
Risk Appetite
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives before action is deemed necessary to reduce the risk.
Risk Tolerance
It is the acceptable level of deviation in risk for a particular endeavor or business pursuit. Risk tolerance is how much variation from the expected level of risk the organization is willing to put up with. There’s a certain amount of risk in every business enterprise or pursuit; however, the organization may not be able or willing to tolerate large deviations from what it considers is its acceptable level of risk on an endeavor.
Methods Of handling Risk
Risk Mitigation
To limit the risk by implementing controls that minimize the adverse impact of a threat’s on an asset. By implementing an anti‐virus server in the organization does not ensure that the assets will be protected from virus attacks. This is a method of minimizing the risk from known virus attacks. So by implementing of anti‐virus and keeping virus definitions updated, we are limiting the risk of virus attack. Also, by taking backup at a regular frequency, we limit the threat's effect if it materializes.
Risk Transfer
To transfer the risk by using other options to compensate for the loss, such as purchasing insurance. Risk can also be transferred by outsourcing (having a contract with third-party vendors). In the means of maintenance contract (MC’s) or any other agreement of having spares at our location.
Risk Avoidance
To avoid the risk by eliminating the risk cause and/or consequence. If there is an old system (Windows 98 running some legacy/proprietary application), which cannot be patched for the current vulnerabilities, can be taken off the network to avoid the risk of being compromised.
Risk Acceptance
It might not always be possible or financially feasible to reduce risks to an acceptable level. In these circumstances, it might be necessary to knowingly and objectively accept the risk. For example: Due to some testing purpose we might need to move one of the servers to the DMZ for a particular period of time. Since this testing is mandatory, it can be ITA Governance & Standards Division Document Name: IT Risk Management Framework Document ID: GS_F1_IT_Risk_Management Version: 1.0 Issue Date: 2017 Page: 21 considered as an acceptable risk for that period. But this has to be agreed by the management and the asset owners. or to implement controls to lower the risk to an acceptable level. We need to give a high priority to the business requirements, while also looking at how to safeguard information. There are instances where we require accepting certain risk and seeing to that the business requirements are met.
Residual Risk
After the risk treatment decisions have been implemented, there will always be risks with values higher than the acceptable threshold — these risks are called residual risk. The residual risks are presented to the management committee for acceptance and management agrees to accept the residual risks. The accepted residual risks are documented and approved by management. All the residual risks will be re‐visited every time risk assessment is being revised or a new threat is discovered.
Framework
It is a methodology for a set of activities or processes in risk management. It does not get into details of the risk management process or procedure, but it gives a 500-foot view of general direction and steps to build a more detailed program for risk management.
Few IT risk management frameworks are NIST, COBIT by ISACA, The Risk IT framework by ISACA.
Standard
A standard is a mandatory set of procedures or processes used by the organization, and standards usually fit into an overall framework. Standards often define more detailed processes or activities used to perform a specific set of tasks. Standards are used for compliance reasons and made mandatory by an organization or its governance.
