Hi everyone. We currently only have a Risk Exception workflow and I'm researching on how to implement one for Risk Acceptance. Would like to hear from those who have experience with Risk Acceptance in IT Security.
Any feedback/guidance would be greatly appreciated.
Hi everyone. We currently only have a Risk Exception workflow and I'm researching on how to implement one for Risk Acceptance.
Being unfamiliar with the term risk exception, a quick web search told me it is also called security exception. Then the article
helped me understand the question above. This may help other forum members follow this thread, too.
Nice write up. Clear and to the point. Generally I see these types of risk acceptance in PCI-DSS audits and only occasionally in healthcare. Both generally due to old or "obsolete" equipment no longer under maintenance. For example, everyone's favorite network connected health device - heart monitors. Yes, it still functions very well but the software hasn't been updated for a security flaw in years. Do you throw the machine away because of software obsolescence? Lots of cases like that and more simply become an accepted risk or face being bound to the manufacturer withholding patches every six months so they can sell you a new machine.
I know what your thinking - yes they would.
If you want to understand for CISSP, then easy way i try to put: we accept residual risk after mitigation as beyond certain control implementation, you cant mitigate risk or it is not viable to mitigate risk beyond certain point, that remaining risk you accept. Means, remaining risk is not big enough to cause much harm.
Exception is applied when you are in process of finding solution or applying solution, so meanwhile you are documenting it. you are aware of the risk and either you are implying the solution till final solutions are applied. or till you find to fix it. Exception is short term
All to many times these exceptions are never truly retired. They just keep the exception tag for years on end. As often the case in business saying and doing often don't agree on a plan of action.
Sometimes we have to be a bit pragmatic about our decisions.
I saw one exception that was more than 10 years old at a candy manufacturer because the software still ran on a PDP-10.
Cash straps hospitals rarely have the financial leeway to solve every problem over providing healthcare - head buried in sand or not. Sometimes the reality on the ground requires outside funding not a lack of will to solve a problem. In the healthcare example you could fine them out of existence for an exception but that would only put human health at greater risk than the gain of fixing a vulnerable process.