Risk Management Phase: Risk Treatment PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document discusses risk management phases, specifically focusing on risk treatment. It details the process of selecting and implementing controls to modify identified risks, providing a framework to address risks based on severity. It also explores different methods of risk treatment, including avoiding, reducing, transferring, or accepting risk. Furthermore, it covers strategies to minimize or eliminate risk and details risk treatment plans, showcasing essential steps for the process's development and implementation.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phase: Risk Treatment Risk treatment is a pro...
Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phase: Risk Treatment Risk treatment is a process of selecting and implementing appropriate controls on the identified risks Risks are addressed and treated based on its severity level Decisions made in this phase are based on the results of a risk assessment L All Rights Reserved. ReproductionI Strictly Prohibited Risk Management Phase: Risk Treatment Risk treatment is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. The risk treatment method addresses and treats the risks according to the risks’ severity level. Some of these measures are discussed below. Decisions made in this phase are based on the results of a risk assessment. This step identifies treatments for risks that fall outside the department’s risk tolerance and provide an understanding of the level of risk along with controls and treatments. It identifies the priority order in which individual risks should be treated, monitored, and reviewed. Before treating the risk, the security professional needs to gather the information about the = Appropriate method of treatment; = Users responsible for treatment; = Costs involved; = Benefits of treatment; = Likelihood of success; and = Ways to measure and assess the treatment. Once the security professional has decided how to treat the identified risks, develop and regularly review the risk management plan. The different options for risk treatment include avoiding the risk itself (avoiding the activities that lead to increased risk probability), reducing the risk (reducing the likelihood of the risk occurring and reducing the impact if the risk occurs), transferring the risk (shifting the risk responsibilities to another party through insurance or partnership), and accepting the risk (if it cannot be avoided or transferred). Module 22 Page 2357 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Actions to Minimize or Eliminate Risk = Develop a risk control plan = Find the impact of risk control on a service delivery = (Constraints required for risk control are identified and considered when completing the risk control plan = Implementation of risk control strategies = Uncontrollable risks = (Client resistance to risk control = Communicate with support workers/other workers during risk control = Completely document the risk control plan as a part of the risk control process Module 22 Page 2358 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Treatment Process/Options m A risk treatment process can change the likelihood of risk occurrence owing to the risk treatment options available Risk Modification QO Modification relates to efforts to modify risk exposure by applying controls to the or Risk or Risk Mitigation Mitigation process, system, or environment O QO Risk acceptance occurs when the organization acknowledges the existence of a Risk l;:tention xtenfionor or Risk risk and chooses deliberately to operate without applying alternative risk B SRR treatment strategies Risk Avoidance or O Risk avoidance relates to adjustments in organizational strategy or processes QO x Risk Elimination to eliminate or reduce the risk |. QO Risk sharing relates to reassigning accountability for a risk to another entity or : —— g organization Risk Sharing or Risk.. B S L T for “" Th“mgl'e:u = Risk sharing = insurance fl % QO Risk transfer is an acceptable strategy to manage risks that are easy to define or bh | clearly understood Risk Treatment Process/Options A risk treatment process can change the likelihood of risk occurrence owing to the risk treatment options available. These options help us understand what risk treatment constitutes and help mitigate or manage the risks. Risk Treatment Options Risk Modification or Risk Mitigation Risk modification is the most common risk treatment option. An organization seeks to change risk exposures or outcomes by applying security controls to a process, system, or environment when they are performing risk modification. Some risk management frameworks describe modification in terms of mitigation—the extent to which the severity of the risk has been reduced. Because modification is commonly associated with the application of security controls, it is important that the security professional understanding the types of controls available and the objectives of those controls. Risk Retention or Risk Acceptance Risk acceptance often occurs when an organization acknowledges the existence of a risk and chooses deliberately to operate without applying one of the other treatment options available. The organization accepts the potential outcome of the identified risk while understanding the potential impact to the organization. Some level of risk always exists, even after applying controls to support mitigation. Risk acceptance in these cases applies to the residual risk that remains. Risk acceptance often maps to the organization’s perceptions or feelings about risk. The security professional must communicate the risks and potential outcomes that exist, but the organization has the responsibility to choose whether or not to accept risk as a Module 22 Page 2359 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management treatment strategy. Organizations should define policies and procedures for risk acceptance as part of corporate governance. Optimally, the policies and procedures should define requirements for escalation and approval of risk acceptance to ensure accountability for the decision. Risk Avoidance or Risk Elimination Avoidance is a risk treatment option that occurs when an organization makes changes or avoids an activity to remove risk and eliminate its effect on the activity altogether. For example, an organization may choose not to build a new facility because of the outcome of a risk assessment. Instead of applying controls to address natural disasters or other physical threats, the organization chooses to build in another location to eliminate the identified risk. Risk Sharing or Risk Transfer Risk sharing relates to reassigning accountability for a risk to another entity or organization. Most often, this is accomplished by purchasing insurance that will reduce the direct costs of a covered event or reduce the cost of remediation. This risk treatment option also applies to distribution of risk between business partners. Although shared or transferred risk can reduce costs associated with risk management, an organization cannot transfer risk entirely to another organization. The organization ultimately owns the risk, and shares the cost of potential outcomes. Risk transfer is an acceptable strategy to manage risks that are easy to define or clearly understood. Risks that are difficult to quantify may increase the risk profile because a loss of influence or control is assumed when an organization transfers or shares risk with another entity. For example, cyber insurance may cover a data breach, but the policy only pays if specific criteria are met for an event with a root cause and outcome that varies widely from one organization to the next. The steps taken in risk treatment differ by each case. Stakeholders and process owners mutually decide these steps. The key points while considering risk treatments are as follows: Implement an appropriate risk treatment option Ensure adequate resources are available while implementing the risk treatment plan The risk treatment plan should reduce the risk factor to a certain acceptable level Remedial actions should be taken for risks that need to be handled immediately Note : The risk treatment options do not always mitigate risks completely. Often, residual risks persist, and these need to be considered as well. Module 22 Page 2360 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Categories ]I ][} The two primary categories of risk are as follows ][} ]I :[} [} © ©, | ) ) ]1 |1 :| ' ' i : Inherent Risk Residual Risk :! | ] : | ] Q Inherent risk defines the risk Q Residual risk is what remains |[ that exists before controls are after controls are | implemented implemented ! O Understand the potential risk QO Q The most important |: impact that exists before consideration for residual risk E controls are implemented to is the understanding that ! understand the value and some quantity of risk always | effectiveness of the mitigation remains after applying | strategy mitigation | Copyright © byby EC-( EC-( |I, All Rights Reserved, Reserved. Reproduct! ReproductionIs Strictly Prohibited, ictly Prohibited Risk Categories The two primary categories of risk are as follows: * |nherent Risk Inherent risk defines the risk that exists before controls are implemented. The organization must understand the potential risk impact that exists before controls are implemented to understand the value and effectiveness of the mitigation strategy. = Residual Risk The idea that some quantity of risk remains after controls are applied is the most important idea about residual risk. Risk mitigation exists to reduce risk to an acceptable level, but that level is rarely zero unless the organization chooses avoidance as the risk treatment strategy. Risk acceptance, therefore, applies as a a normal outcome of reducing risk to the lowest acceptable residual level. Module 22 Page 2361 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Treatment Plan —_— Q Itis the action plan describing how you plan to respond to potential risks P O Arisk treatment plan document must be produced as part of a certified ISO 27001 information security management system Risk Treatment Plan EA Proposed security controls with priorities and deadlines Required resources Roles and responsibilities of stakeholders responsible for the proposed action Performance Reporting and monitoring requirements Copyright © by EC-L cll. All Rights Reserved, Reproductions Strictly Prohibited Risk Treatment Plan The risk treatment plan is the action plan that describes the plan to respond to potential risks. It provides a summary of the identified risks, every risk’s designed response, parties responsible for all risks, and target date for risk treatment. It is one of the essential documents an organization should produce as part of a certified ISO 27001 information security management system. Steps for Risk Treatment Plan Developing a risk treatment plan requires determining the level of treatment plan at each risk level. For example, what treatment level would be necessary for moderate, minor, or high risks, respectively? Or what improvement opportunities are available to offset risks? To ensure risk treatment plans are implemented corrected and monitored accurately, the security professionals needs to ensure = Whether the right structure is used to support the treatment plan; *= Availability of adequate resources for those involved in mitigating risks; = Communication within the treatment plan and with key stakeholders; = That the right risk treatment plan is implemented through accurate and timely risk analysis; = The owner of the treatment plan can specify how the implementation will be monitored, including increasing or decreasing risk levels; and *» The treatment plan is routinely reviewed for effectiveness and risk levels. Module 22 Page 2362 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Risk Management Risk Management Phase: Risk Tracking and Review » The risk tracking phase identifies the E+ » The review phase evaluates the —r— e chance of a new risk occurring - ‘ performance of the implemented risk » 8 management strategies » The tracking phase ensures appropriate controls are fi » Risk reporting ensures management is implemented to handle risks aware of the top risks, enabling them to plan to reduce the risk >» Risk tracking also includes monitoring appropriately appropriately the probability, impact, status, and exposure of risk Risk Management Phase: Risk Tracking and Review For the risk management process, well-planned and regular monitoring and review are required in order to identify new risks and reduce them appropriately. = Risk Tracking Risk tracking identifies the chance of a new risk; it includes monitoring the probability, impact, status, and exposure of risks. In this step, the identified risks are regularly reviewed and the changes in the actions or events are documented—for example, the risk evaluation is modified when security controls that reduce risk and record new identified risks are implemented. = Risk Risk Review Reviewing the effectiveness of the implemented risk management strategies regularly helps understand the shortcomings of the security controls and enhance the implemented security controls. It enables an organization to maintain its risk management objectives as well as keep its context up-to-date and accurate. Module 22 Page 2363 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.