20. Exercise: Risk Treatment
In the following exercise you will name and define the four types of risk treatment that we discussed in this section. In addition, you will consider risk scenario and write how you might treat the risk using each of the four risk treatments.
Answer the following scenario:
QUESTION:
Q1) List and define the four risk treatments discussed in this section.
Q2) Write a brief narrative as to how you might apply each of the four risk treatments to the following scenario. For instance, if the organization chooses to __ the risk, we may (take what action?).
Risk Scenario - Your organization is considering moving to a new HR management system. During a review of the platform, you discovered that the platform does not encrypt the database containing each HR record. You created a risk statement that says the following - "Database is unencrypted which may cause unauthorized access to HR records or data leakage".
ANSWER:
Please review this sample answer.
The four risk treatments are:
Accept - Accept the risk without taking any further action. Acknowledge the risk and do nothing.
Modify / Mitigate - Implement a control that lessens or changes the risk in some way.
Transfer - In most cases cybersecurity risk transference means insuring against the risk occuring through a cybersecurity insurance policy or creating a shared liablity model with a vendor.
Avoid - Choose to do something altogher different.
Accept - The organization has choosen to use the new HR system regardless of this risk.
Modify/Mitigate - The organization will implement a the solution but will use a different data that supports encryption or institute strong monitoring controls to create alerts in the event of unauthorized access.
Avoid - As a result of the risk, the organization has chosen not to use the product.