Page 179 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 179

Once countermeasures are implemented, the risk that remains is
               known as residual risk. Residual risk comprises threats to specific

               assets against which upper management chooses not to implement a
               safeguard. In other words, residual risk is the risk that management
               has chosen to accept rather than mitigate. In most cases, the presence
               of residual risk indicates that the cost/benefit analysis showed that the
               available safeguards were not cost-effective deterrents.

               Total risk is the amount of risk an organization would face if no

               safeguards were implemented. A formula for total risk is as follows:
                              threats * vulnerabilities * asset value = total risk


               (Note that the * here does not imply multiplication, but a combination
               function; this is not a true mathematical formula.) The difference
               between total risk and residual risk is known as the controls gap. The
               controls gap is the amount of risk that is reduced by implementing
               safeguards. A formula for residual risk is as follows:

                                     total risk – controls gap = residual risk

               As with risk management in general, handling risk is not a onetime

               process. Instead, security must be continually maintained and
               reaffirmed. In fact, repeating the risk assessment and analysis process
               is a mechanism to assess the completeness and effectiveness of the
               security program over time. Additionally, it helps locate deficiencies
               and areas where change has occurred. Because security changes over
               time, reassessing on a periodic basis is essential to maintaining

               reasonable security.


               Countermeasure Selection and Implementation

               Selecting a countermeasure or control (short for security control)
               within the realm of risk management relies heavily on the cost/benefit
               analysis results. However, you should consider several other factors

               when assessing the value or pertinence of a security control:

                    The cost of the countermeasure should be less than the value of the
                    asset.

                    The cost of the countermeasure should be less than the benefit of
                    the countermeasure.
   174   175   176   177   178   179   180   181   182   183   184