Optimizing AI for immediate response in Smart CCTV
Security Risk management Chapther 8: Risk Evaluation and Mitigation Strategies
1. Risk Evaluation and Mitigation Strategies
This is a presentation on Risk Evaluation and
Mitigation Strategies.
Chapter 8
Presented by EO DETTBARN
2. Risk Evaluation and Mitigation Strategies
After this learning unit you should be able to:
• Discuss the different options for risk evaluation.
• Explain and apply different risk mitigation approaches.
• Explain policy exceptions and risk acceptance.
3. Risk Evaluation and Mitigation Strategies
Options for risk evaluation.
The 4 main once are,
● Avoid
● Accept
● Mitigate
● Transfer
4. Risk Evaluation and Mitigation Strategies
Avoid : The least frequently used however,it is
important to keep it in mind as an option.
Eliminate, withdraw from or not become involved
Accept : Many risks may be unavoidable or just
not worth mitigating for the organization, so in this
case, management needs to make a formal
decision to accept the risk. Many organizations
choose to ignore certain risks, which is really just
an implicit form of acceptance.
5. Risk Evaluation and Mitigation Strategies
Mitigate : To mitigate a risk really means to limit
the exposure in some way. This could include
reducing the likelihood of occurrence, decreasing
the severity of the impact, or even reducing the
sensitivity of the resource. Mitigation does not
imply a complete elimination of risk, just a
reduction to an acceptable level.
6. Risk Evaluation and Mitigation Strategies
Transfer : This option is gaining in popularity.
Example : Insurance to cover the expected
consequences of a risk exposure.
Data breach insurance is just starting to emerge
as an option for organizations, the idea being that
you transfer the risk to the insurance company.
Risk can also be transferred through contracts
with partners and clients or by pushing functions
out to the customer.
7. Risk Evaluation and Mitigation Strategies
Risk mitigation approaches.
There are many options for mitigating a risk.
Focus is not always on trying to eliminate the risk,
but rather to reduce the risk exposure to an
acceptable level. To mitigate a risk, you either
have to reduce the likelihood of occurrence, limit
the severity, or decrease the impact
8. Risk Evaluation and Mitigation Strategies
Risk Alleviation – implementscontrolsto prevent the
threat/vulnerability (such aspatching asoftware
weakness).
Risk Limitation –limitslikelihood or effectswith
controls(such astheexamplesgiven above).
Risk Planning – developsaformal plan to
prioritize,implement,and maintain controls(thisdoesn’t
directly changetherisk exposurelevel,but it assumes
someplan to addresstherisk in thenear
future,therefore,limiting thetimeframefor possible
exposure).
9. Risk Evaluation and Mitigation Strategies
The fourth mitigation option: Re-mediation
This ,isn’t applicable for all risks because not all
risks have a vulnerability that can be removed.
10. Risk Evaluation and Mitigation Strategies
Controls
If we think about the effects that controls can have
on risks, we can agree that they can potentially
lower any one or all of the variables used to
calculate the risk exposure.
11. Risk Evaluation and Mitigation Strategies
A preventative control may change the likelihood
of a vulnerability being exploited, but do nothing to
change the severity of a successful exploit. In
contrast, a reactive control may not lessen the
likelihood at all, but it could limit the severity by
con-straining the scope of the exploit once it is
detected.
12. Risk Evaluation and Mitigation Strategies
Policy exceptions and risk acceptance.
Risk exceptions serve many purposes, including
documenting when
• arisk exposurecan’t bere-mediated or mitigated
• thebusinesschoosesto accept arisk asis
• thecost of mitigation outweighstheimpact of the
exposure
• compensating controlsalready exist
• arisk exposureneedsto beaccepted temporarily
whileit isbeing addressed
13. Risk Evaluation and Mitigation Strategies
Whenever any of these situations occur, an
exception request will need to be filed and
approved. Keep in mind that an exception is not a
permanent approval
Risk Evaluation and Mitigation Strategies
14. Risk Evaluation and Mitigation Strategies
Exception work-flow
The level of approval needed for an exception
depends on the level of risk being introduced by
the deviation from policy and can be directly
mapped to the qualitative risk exposure mapping
table that we have been using.
See page 157 for an example
16. Risk Evaluation and Mitigation Strategies
Theexception request form should capturethe
following information at aminimum:
• Target
Resource(application,system,environment,business
unit,or vendor)
• Submitter
• Functional Unit
• Work flow Status
• Expiration Date
• Risk ActiveStatus
18. Risk Evaluation and Mitigation Strategies
Signature Requirements
There is no “rule”
For risks that does have a low impact and the
likelihood is small a project manager might be
signature might be sufficient. But the higher the
risks impact and likelihood it might require top
management to sign off on such changes.
19. Risk Evaluation and Mitigation Strategies
Expiration and Renewal
A good rule of thumb is for all exceptions to be
valid for a year from the approval date by default;
alternatively, the information security team can
select an expiration date based on the specific
mitigation plan for that exception.
20. Risk Evaluation and Mitigation Strategies
Depending on the level of risk approval can be
done by any of following individuals:
• Either a Senior Manager from the information
security team or the Chief Information Security
Officer.
• Senior management for the functional area or
business unit if the mitigation plan has changed.
