Professional Documents
Culture Documents
Risk Appetite and Residual Risk
Risk Appetite and Residual Risk
Reference:
- NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments, Sept. 2011
Risk Control
• Involves selection of control strategies, justification of strategies
to upper management, and implementation/monitoring/on going
assessment of adopted controls
• Once the ranked vulnerability risk worksheet is complete, the
organization must choose one of five strategies to control each
risk:
– Defense (Protection)
– Transference (still need the activities, but do not want to bear the
risk, then transfer to someone else)
– Mitigation (lower down impact)
– Acceptance (take the risk, don’t put any control)
– Termination (throw away/stop the activities you don’t have to bear
the risks at all )
Defense
• Acceptance
– Doing nothing to protect a vulnerability and accepting the
outcome of its exploitation
– Valid only when the particular function, service,
information, or asset does not justify the cost of protection
• Termination
– Directs the organization to avoid business activities that
introduce uncontrollable risks
– May seek an alternate mechanism to meet the customer
needs
Selecting a Risk Control Strategy