We need an independent perspective in assessing and prioritizing high-risk controls. And how to evaluate aspects of likelihood and impat – how acceptable risks are defined. The findings from risk analysis will play a crucial role in the ongoing risk management process. Encourage collaboration with the security team to review the CIS RAM and the Duty of Care Risk Analysis (DoCRA) risk assessment standard for further information.
TRANSCRIPT
Thank you for helping us evaluate our controls. Your independent perspective will be helpful to us. The laws we operate under and the cybersecurity standards we use all require us to conduct a risk assessment to determine whether the controls we’re using are appropriate for our risks. So when we receive your findings, we’ll use them to reevaluate our risks. This way, if you find a control that’s partially implemented and we see that it creates a high risk, we will prioritize fixing that control.
If it presents an acceptable risk, we will show you why we think so, and we can discuss whether we neglected an aspect of likelihood or impact that would adjust our risk risk score.
Your testing and findings will be important to our ongoing risk management process all while maintaining your independence.
How are you seeing others define acceptable risk and reasonableness?
To understand more about how this risk assessment works and how to address the regulations and standards that we operate under, you can read about our risk assessment standard by going to docra.org Duty of Care Risk Analysis (DoCRA), by talking to our experts at Reasonable Risk in halock.com, or by going to cisecurity.org and reviewing CIS RAM with the security team.
