Risk Responses
风险应对
Whether a quantitative or qualitative risk assessment was performed, there are many elements of risk response that apply equally to both approaches. Once the risk analysis is complete, management must address each specific risk. There are several possible responses to risk:
无论进行的是定量还是定性的风险评估,很多风险应对要素同样适用于这两种方法。一旦风险分析完成,管理层必须解决每个具体的风险。可能的风险应对方法如下:
-
Mitigation or reduction 缓解或减轻
-
Assignment or transfer 指派或转移
-
Deterrence 威慑
-
Avoidance 避免
-
Acceptance 接受
-
Reject or ignore 拒绝或无视
These risk responses are all related to an organization's risk appetite and risk tolerance. Risk appetite is the total amount of risk that an organization is willing to shoulder in aggregate across all assets. Risk capacity is the level of risk an organization is able to shoulder. An organization’s desired risk appetite may be greater than its actual capacity. Risk tolerance is the amount or level of risk that an organization will accept per individual often related to a risk target, which is the preferred level of risk for a specific asset-threat pairing. A risk limit is the maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.
这些风险反应都与一个组织的风险偏好和风险容忍度有关。风险偏好是一个组织愿意承担的所有资产的总风险量。风险能力是一个组织能够承担的风险水平。一个组织的理想风险偏好可能大于其实际能力。风险容忍度是一个组织对每个人所能接受的风险数量或水平,往往与风险目标有关,即特定资产-威胁组合的首选风险水平。风险目标是特定资产-威胁配对的首选风险水平。风险限额是指高于风险目标的最大风险水平。在采取进一步的风险管理行动之前,将被容忍的高于风险目标的最大风险水平。
You need to know the following information about the possible risk responses: 你需要知道关于可能的风险反应的下列信息:
-
Risk Mitigation: Reducing risk or risk mitigation, is the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats. Deploying encryption and using firewalls are common examples of risk mitigation or reduction. Elimination of an individual risk can sometimes be achieved, but typically some risk remains even after mitigation or reduction efforts.
-
风险缓解 是指实施保障措施,安全控制和应对措施以减少和/或消除漏洞或阻止威胁。部署加密和使用防火墙是风险缓解或降低的常见例子。缓解或减少有时可以实现消除个别风险,但通常情况下,即使在缓解或减少风险的努力之后,一些风险仍然存在。
-
Risk Assignment: Assigning risk or transferring risk is the placement of the responsibility of loss due to a risk onto another entity or organization. Purchasing cybersecurity or traditional insurance and outsourcing are common forms of assigning or transferring risk. Also known as assignment of risk and transference of risk.
-
风险分配 指派风险或转移风险是指将风险造成的损失的责任归于谁。损失的责任放在另一个实体或组织身上。购买网络安全或传统保险和外包是分配或转移风险的常见形式。也被称为风险的分配和风险的转移。
-
Risk Deterrence: Risk deterrence is the process of implementing deterrents to would-be violators of security and policy. The goal is to convince a threat agent not to attack. ‘Some examples include implementing auditing, security cameras, and warning banners; using security guards; and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime.
-
风险威慑 是指对可能的安全和政策违反者实施威慑的过程。其目的是说服威胁者不进行攻击。包括实施审计、安全摄像机和警告标语。使用保安人员;以及让人们知道,该组织愿意与当局合作,并起诉那些违反规定的人。
-
Risk Avoidance Risk avoidance is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes. The risk is avoided by eliminating the risk cause. A business leader terminating a business endeavor because it does not align with organizational objectives and that has a high risk versus reward ratio is also an example of risk avoidance.
-
风险规避 是指选择比默认的、普通的、权宜的或廉价的选择更少相关风险的备选方案或活动的过程。例如,选择飞往一个目的地而不是开车去,就是一种避免风险的方式。另一个例子是将企业设在亚利桑那州而不是佛罗里达州以避免飓风。风险是通过消除风险原因来避免的。 一个领导终止了与组织目标不一致,且风险与回报的比例很高的项目,也是规避风险的一个例子。
-
Risk Acceptance Accepting risk, or acceptance of risk, is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized. In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a document signed by senior management.
-
接受风险是成本/效益分析表明对策成本将超过风险造成的可能损失成本后的结果。这也意味着管理层已同意接受风险实现后的后果和损失。在大多数情况下,接受风险需要一份明确的书面声明-通常是以高级管理层签署的文件的形式,说明为什么不实施保障措施,谁对决策负责,以及谁对风险发生后的损失负责。
-
Risk Rejection An unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence responses to risk. Rejecting or ignoring risk may be considered negligence in court.
-
拒绝风险 对风险的一种不可接受的可能反应是拒绝风险或忽视风险。否认存在风险并希望其永远不会实现,这不是对风险的有效或谨慎的应尽关注/尽职调查回应。拒绝或忽视风险在法庭上可能被视为疏忽。
|
Legal and in Compliance 合法和合规 |
|
Every organization needs to verify that its operations and policies are legal and in compliance with their stated security policies, industry obligations, contracts, and regulations. Auditing is necessary for compliance testing, also called compliance checking. Verification that a system complies with laws, regulations, baselines, guidelines, standards, best practices, contracts, and policies is an important part of maintaining security in any environment. Compliance testing ensures that all necessary and required elements of a security solution are properly deployed and functioning as expected. These are all important considerations when selecting risk response strategies. 每个组织都需要验证其操作和政策是否合法,是否符合其声明的安全政策、行业义务、合同和法规。审计是合规性测试的必要条件,也称为合规性检查。验证一个系统是否符合法律、法规、基线、准则、标准、最佳实践、合同和政策,是在任何环境中维护安全的一个重要部分。合规性测试确保安全解决方案的所有必要和要求的元素都被正确部署,并按预期运行。 这些都是选择风险应对策略时的重要考虑因素。 |
Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. Inherent risk can exist due to the supply chain, developer operations, design and architecture of a system, or the knowledge and skill base of an organization. Inherent risk is also known as initial risk or starting risk. This is the risk that is identified by the risk assessment process.
固有风险是指在进行任何风险管理工作之前,存在于环境、系统或产品中的自然、原生或默认风险的水平。固有风险的存在可能是由于供应链,开发者的操作,系统的设计和架构,或者一个组织的知识和技能基础。固有的风险也被称为初始风险或起始风险。这是通过风险评估过程确定的风险。
一旦保障措施、安全控制措施和对策得到实施,剩下的风险就被称为剩余风险。剩余风险包括对特定资产的威胁,上层管理部门选择不对其实施应对措施。换句话说,残余风险是管理层选择接受而不是缓解的风险。在大多数情况下,残余风险的存在表明,成本/效益分析表明现有的保障措施并不是具有成本效益的威慑手段。
Total risk is the amount of risk an organization would face if no safeguards were implemented. A conceptual formula for total risk is as follows:
| threats * vulnerabilities * asset value = total risk |
总风险是指如果不实施保障措施,一个组织将面临的风险量。总风险的概念性公式如下。
| 威胁 * 脆弱性 * 资产价值 = 总风险 |
The difference between total risk and residual risk is known as the controls gap. The controls gap is the amount of risk that is reduced by implementing safeguards. A conceptual formula for residual risk is as follows:
| total risk – controls gap = residual risk |
| 总风险 - 控制差距 = 剩余风险 |
As with risk management in general, handling risk is not a onetime process. Instead, security must be continually maintained and reaffirmed. In fact, repeating the risk assessment and risk response processes is a necessary function to assess the completeness and effectiveness of the security program over time. Additionally, it helps locate deficiencies and areas where change has occurred. Because security changes over time, reassessing on a periodic basis is essential to maintaining reasonable security.
与一般的风险管理一样,处理风险不是一个一次性的过程。相反,安全必须被持续地维护和重申。事实上,重复风险评估和风险应对过程是一项必要的功能,可以随着时间的推移评估安全计划的完整性和有效性。此外,它还有助于定位缺陷和发生变化的领域。由于安全随着时间的推移而发生变化,定期进行重新评估对于保持合理的安全是至关重要的。
Control risk is the risk that is introduced by the introduction of the countermeasure to an environment. Most safeguards, security controls, and countermeasures are themselves some sort of technology. No technology is perfect and no security is perfect, so some vulnerability exists in regard to the control itself. Although a control may reduce the risk of a threat to an asset, it may also introduce a new risk of a threat that can compromise the control itself. Thus, risk assessment and response must be an iterative operation that looks back on itself to make continuous improvements.
控制风险是指在一个环境中引入对策后所带来的风险。大多数保障措施、安全控制措施和措施本身就是某种技术。没有技术是完美的,也没有安全是完美的,所以控制措施本身存在一些脆弱性。虽然一个控制措施可以减少资产受到威胁的风险,但也可能带来新的威胁风险,使控制措施本身受到破坏。因此,风险评估和应对必须是一个反复的操作,回顾自身,不断改进。
原文始发于微信公众号(网络安全等保测评):Risk response
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论