Page 54 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 54

Information  Security and Privacy




                    Notes          4.4.2 Avoidance

                                   Risk avoidance is exactly as it sounds. It is a business strategy in which certain classes of activities
                                   or business processes are not undertaken because the risks are too high to justify the return on
                                   investment.  A risk may be  avoided by  not accepting  or entering  into the  event which  has
                                   hazards. This method has severe limitations because such a choice is not always possible, or if
                                   possible, it may require giving up some important advantages. Nevertheless, in some situations
                                   risk avoidance is both possible and desirable.

                                   4.4.3 Transfer

                                   Risk transfer involves transferring the weight or the consequence of a risk on to some other
                                   party. There are many ways that risk transfer can take place. Insurance is a commonly used
                                   method of risk transfer; the insurance company accepts the risk of another. Another form of risk
                                   transfer can happen in the way that a contract is laid out. Risk transfer for low consequences is
                                   usually affordable and reasonable if some level of reasonable and prudent controls are in place.
                                   This meets due diligence standards for low risk systems. Risk transfer for medium and high
                                   consequences is rare, expensive, and only justified in cases where the worst case loss is not
                                   sustainable and an adequate outside insurance capacity is willing to take on the risk.

                                       !
                                     Caution Risk Transfer is a strategy that loses in the long run for medium and high risks.


                                   4.4.4 Reduction

                                   Risk reduction reduces the potential loss  associated with that risk. Risks can be reduced  by
                                   implementation of standard operating procedures, education and training, limiting the numbers
                                   or types of participants, establishing security methodologies, duplication of records, selecting
                                   appropriate venues, preventive maintenance, etc.

                                   Self Assessment

                                   Fill in the blanks:

                                   12.  ....................... is simply accepting the identified risk without taking any measures to prevent
                                       loss or the probability of the risk happening.
                                   13.  ....................... is a business strategy in which certain classes of activities or business processes
                                       are not undertaken because the risks are too high to justify the return on investment.
                                   14.  ....................... involves transferring the weight or the consequence of a risk on to some
                                       other party.
                                   15.  Risks can be ....................... by implementation of standard operating procedures, education
                                       and training, limiting the numbers or types of participants, etc.
















          48                                LOVELY PROFESSIONAL UNIVERSITY
   49   50   51   52   53   54   55   56   57   58   59