Risk Management - Accept Residual Risk
Posted by Harisinh | Posted in | Posted on 2:29 AM
-
At some point, management needs to decide if the operation of the computer system is acceptable, given the kind and severity of remaining risks. Many managers do not fully understand computerbased risk for several reasons:
(1) the type of risk may be different from risks previously associated with the organization or function;
(2) the risk may be technical and difficult for a lay person to understand, or
(3) the proliferation and decentralization of computing power can make it difficult to identify key assets that may be at risk.
Risk acceptance, like the selection of safeguards, should take into account various factors besides those addressed in the risk assessment. In addition, risk acceptance should take into account the limitations of the risk assessment. (See the section below on uncertainty.) Risk acceptance is linked to the selection of safeguards since, in some cases, risk may have to be accepted because safeguards are too expensive (in either monetary or nonmonetary factors).
Within the federal government, the acceptance of risk is closely linked with the authorization to use a computer system, often called accreditation, discussed in Chapters 8 and 9. Accreditation is the acceptance of risk by management resulting in a formal approval for the system to become operational or remain so. As discussed earlier in this chapter, one of the two primary functions of risk management is the interpretation of risk for the purpose of risk acceptance.
Accept Residual Risk Management.
At some point, management needs to decide if the operation of the computer system is acceptable, given the kind and severity of remaining risks. Many managers do not fully understand computerbased risk for several reasons:
(1) the type of risk may be different from risks previously associated with the organization or function;
(2) the risk may be technical and difficult for a lay person to understand, or
(3) the proliferation and decentralization of computing power can make it difficult to identify key assets that may be at risk.
Risk acceptance, like the selection of safeguards, should take into account various factors besides those addressed in the risk assessment. In addition, risk acceptance should take into account the limitations of the risk assessment. (See the section below on uncertainty.) Risk acceptance is linked to the selection of safeguards since, in some cases, risk may have to be accepted because safeguards are too expensive (in either monetary or nonmonetary factors).
Within the federal government, the acceptance of risk is closely linked with the authorization to use a computer system, often called accreditation, discussed in Chapters 8 and 9. Accreditation is the acceptance of risk by management resulting in a formal approval for the system to become operational or remain so. As discussed earlier in this chapter, one of the two primary functions of risk management is the interpretation of risk for the purpose of risk acceptance.
Accept Residual Risk Management.
Comments (0)
Post a Comment