Page 53 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 53

Unit 4: Risk Analysis




               incorporate such information; and updating or replacing the assumptions to reflect new  Notes
               data or scientific understandings.



             Did u know? What is the purpose of risk management?
             The purpose of a risk assessment is to help management create appropriate strategies and
             controls for stewardship of information assets.




             Notes  Risk assessments must be conducted by teams that include both functional managers
             and  information  technology  administrators.  Business  operations,  workflow,  or
             technologies change, periodic reviews should be conducted to analyze these changes. The
             affect of new threats and vulnerabilities created by these changes has to be determined. A
             thorough checking of the effectiveness of existing controls also required.

          Self Assessment

          Fill in the blanks:
          7.   A threat is an event, process, activity, or action that exploits a ....................... to attack an
               asset.

          8.   ....................... are safeguards that  reduce the  probability that  a threat  will exploit  a
               vulnerability to successfully attack an asset.
          9.   A technique  to .......................  data includes  preparing  a  list  of  assets  and  showing
               corresponding threats, type of loss and vulnerability.
          10.  The primary purpose of risk assessment should always be to deal with those aspects of
               ....................... that are uncertain.
          11.  As events occur and control activities take place, ....................... changes and increases.

          4.4 Approaches and Considerations

          Risks that are worthy of attention are managed  and risks not worthy of consideration  are
          accepted. A risk treatment plan should be identified for all risks identified. Identified risk can be
          and is usually managed by a variety of approaches: Risk transfer, risk avoidance, risk reduction
          and risk acceptance.

          4.4.1 Acceptance

          Risk acceptance is also known by the name of risk retention. It is simply accepting the identified
          risk without taking any measures to prevent loss or the probability of the risk happening. It
          involves a decision by management to accept a given risk without further mitigation or transfer,
          for a period of time. This happens in two classes of circumstances. For risks that are too low to
          bother protecting against or for which insurance and due diligence are adequate, risk is accepted.
          For risks that are to be mitigated but where mitigation cannot be done instantaneously or for
          which rapid mitigation is too expensive to warrant, risks are accepted for periods during which
          mitigation is undertaken. This approach  is ideal for those  risks that will not create a high
          amount of loss if they occur. These risks in fact would be considered more costly to manage than
          to allow.




                                           LOVELY PROFESSIONAL UNIVERSITY                                   47
   48   49   50   51   52   53   54   55   56   57   58