topic Re: Risk Exception vs Risk Acceptance in Tech Talk

Risk Exception vs Risk Acceptance

Sundragon56 — Mon, 09 Oct 2023 09:32:52 GMT

Hi everyone. We currently only have a Risk Exception workflow and I'm researching on how to implement one for Risk Acceptance. Would like to hear from those who have experience with Risk Acceptance in IT Security.

Any feedback/guidance would be greatly appreciated.

Re: Risk Exception vs Risk Acceptance

CraginS — Mon, 08 Jun 2020 16:48:42 GMT

@Sundragon56 wrote:
Hi everyone. We currently only have a Risk Exception workflow and I'm researching on how to implement one for Risk Acceptance.

Rodolfo,

Being unfamiliar with the term risk exception, a quick web search told me it is also called security exception. Then the article

Security Exception vs. Risk Acceptance: What's the Difference?

helped me understand the question above. This may help other forum members follow this thread, too.

Craig

Re: Risk Exception vs Risk Acceptance

Beads — Mon, 08 Jun 2020 20:56:29 GMT

Nice write up. Clear and to the point. Generally I see these types of risk acceptance in PCI-DSS audits and only occasionally in healthcare. Both generally due to old or "obsolete" equipment no longer under maintenance. For example, everyone's favorite network connected health device - heart monitors. Yes, it still functions very well but the software hasn't been updated for a security flaw in years. Do you throw the machine away because of software obsolescence? Lots of cases like that and more simply become an accepted risk or face being bound to the manufacturer withholding patches every six months so they can sell you a new machine.

I know what your thinking - yes they would.

- b/eads

Re: Risk Exception vs Risk Acceptance

njadia — Tue, 09 Jun 2020 00:23:51 GMT

Hi,

If you want to understand for CISSP, then easy way i try to put: we accept residual risk after mitigation as beyond certain control implementation, you cant mitigate risk or it is not viable to mitigate risk beyond certain point, that remaining risk you accept. Means, remaining risk is not big enough to cause much harm.

Exception is applied when you are in process of finding solution or applying solution, so meanwhile you are documenting it. you are aware of the risk and either you are implying the solution till final solutions are applied. or till you find to fix it. Exception is short term

Re: Risk Exception vs Risk Acceptance

Beads — Tue, 09 Jun 2020 18:05:00 GMT

All to many times these exceptions are never truly retired. They just keep the exception tag for years on end. As often the case in business saying and doing often don't agree on a plan of action.

Sometimes we have to be a bit pragmatic about our decisions.

- b/eads

Re: Risk Exception vs Risk Acceptance

Caute_cautim — Thu, 11 Jun 2020 06:16:51 GMT

@Beads Unless you encounter those who would bury their heads in the sand, and hope it goes away.

Regards

Caute_cautim

Re: Risk Exception vs Risk Acceptance

Beads — Thu, 11 Jun 2020 14:56:02 GMT

I saw one exception that was more than 10 years old at a candy manufacturer because the software still ran on a PDP-10.

Cash straps hospitals rarely have the financial leeway to solve every problem over providing healthcare - head buried in sand or not. Sometimes the reality on the ground requires outside funding not a lack of will to solve a problem. In the healthcare example you could fine them out of existence for an exception but that would only put human health at greater risk than the gain of fixing a vulnerable process.

- b/eads