Home ›
D1: Security & Risk Mgmt ›
Risk Treatment, Frameworks & Residual Risk
Domain 1 · Lesson 6 of 10
Risk Treatment, Frameworks & Residual Risk
Xử lý Rủi ro & Khung Quản lý
4 Risk Treatment Options
After identifying and assessing a risk, the organization must decide how to respond. There are exactly four options — the exam will test all of them.
MITIGATE
Giảm thiểu · Reduce risk by implementing controls
Implement security controls to reduce the likelihood or impact of a risk occurring.
TS Example: AES-256-CTR encryption for PII storage; WAF in front of Platform C web layer; OTP rate limiting to prevent brute force
ACCEPT
Chấp nhận · Acknowledge risk and take no action
Formally acknowledge the risk, document it, and accept the potential consequences. No additional controls are implemented.
TS Example: Accept eKYC Vendor single-vendor eKYC risk (cost of running dual KYC vendors exceeds expected loss); document in risk register with management signature
AVOID
Né tránh · Stop the activity that creates the risk
Eliminate the risk by ceasing the activity that creates it. The most effective but sometimes not practical.
TS Example: Don't store card PANs at all — use tokenization via Card Processor (card processor) so Platform C never touches raw PAN data, eliminating PCI-DSS scope
TRANSFER
Chuyển giao · Move financial impact to another party
Move the financial consequences of risk to a third party (insurance, contractual liability). Risk still exists — only the financial impact is shifted.
TS Example: Cyber insurance policy covering data breach costs; contractual indemnification clause with bank partners for data handling; SLA penalties covered by vendor contracts
Critical principle: Risk cannot be eliminated — even after treatment, Residual Risk always remains. "Eliminate risk" is always a wrong answer on CISSP.
Total Risk vs Residual Risk
Total Risk
Risk level before any controls are applied. Theoretical maximum exposure.
Total Risk = Threat × Vulnerability × AV
Residual Risk
Risk remaining after controls are applied. Management must formally accept this.
Residual Risk = Total Risk × (1 − Control Effectiveness)
Risk Register
A risk register documents all identified risks, their assessment, treatment decisions, owners, and current status. It is a living document — updated regularly.
| Field | Description |
|---|---|
| Risk ID & Description | Unique identifier and clear description of the risk |
| Likelihood & Impact | Qualitative or quantitative risk rating |
| Treatment Decision | Mitigate / Accept / Avoid / Transfer — with rationale |
| Risk Owner | Named individual accountable for managing this risk |
| Status | Open / In Progress / Mitigated / Accepted |
| Review Date | When this risk will be reassessed |
Risk Management Frameworks
| Framework | Full Name | Key Feature |
|---|---|---|
| NIST RMF | Risk Management Framework | 7 steps: Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor |
| ISO 31000 | Risk Management — Guidelines | International standard for risk management across all types of organizations |
| OCTAVE | Operationally Critical Threat, Asset, and Vulnerability Evaluation | Organization-driven; focuses on operational risks; good for smaller organizations |
| FAIR | Factor Analysis of Information Risk | Quantitative model; decomposes risk into factors to produce financial estimates |
NIST RMF 7 Steps (memorize the order):
1. Prepare
→
2. Categorize
→
3. Select
→
4. Implement
→
5. Assess
→
6. Authorize
→
7. Monitor
Key Terms
| Term | Tiếng Việt | Definition |
|---|---|---|
| Risk Mitigation | Giảm thiểu rủi ro | Implement controls to reduce risk likelihood or impact |
| Risk Acceptance | Chấp nhận rủi ro | Formally acknowledge and document risk; no additional controls |
| Risk Avoidance | Né tránh rủi ro | Stop the activity that creates the risk |
| Risk Transfer | Chuyển giao rủi ro | Move financial impact to third party (insurance, contract) |
| Residual Risk | Rủi ro còn lại | Risk remaining after controls; must be formally accepted by management |
| Risk Register | Sổ đăng ký rủi ro | Living document tracking all identified risks, treatments, owners |
| NIST RMF | Khung Quản lý Rủi ro NIST | 7-step federal risk management framework |
| Cyber Insurance | Bảo hiểm mạng | Risk transfer mechanism covering financial impact of cyber incidents |
Exam Tips
- 1. Risk cannot be "eliminated" — this is always wrong on CISSP. Residual risk is a permanent concept. Even the best controls leave residual risk.
- 2. Risk acceptance must be formally documented and approved by management — not by IT. IT can recommend acceptance, but a named manager must sign off. Undocumented acceptance = negligence.
- 3. Insurance = risk transfer (moves financial impact only — the risk itself still exists). Insurance does not prevent incidents; it just pays for them.
- 4. NIST RMF step order: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. The exam tests "what comes after Select?" → Implement.
- 5. Risk avoidance = most effective (eliminates risk entirely by stopping the activity), but may not be practical for core business functions.
Work Application — FinTech Company X Risk Register
Build a sample risk register entry for each Platform C risk:
| Risk ID | Description | Treatment | Action | Owner | Status |
|---|---|---|---|---|---|
| R-01 | Unencrypted PII in Platform A legacy DB | Mitigate | Encrypt with AES-256-CTR; migrate legacy data | Hoa (EM) | In Progress |
| R-02 | eKYC Vendor single-vendor eKYC outage | Accept | Manual fallback KYC flow documented; dual vendor cost prohibitive | Product | Accepted (signed) |
| R-03 | Card Processor card processor breach impacting Partner E | Transfer | Cyber insurance + contractual liability clause in Card Processor contract | Legal | Open |
| R-04 | OTP brute force on Platform C login | Mitigate | 5 attempts/hr rate limit + 15-min account lockout | Engineering | Done |
Practice Questions
Q1. FinTech Company X decides to stop storing card PANs entirely, routing all card transactions through Card Processor tokenization. Which risk treatment does this represent?
A) Risk Avoidance — eliminating the risk by stopping the activity (PAN storage) that creates itRationale: Risk Avoidance means ceasing the activity that creates the risk. By not storing PANs at all, FinTech Company X eliminates the PCI-DSS risk associated with PAN storage entirely. This is the most effective treatment but requires architectural changes. It's different from mitigation (which would encrypt the PANs) — avoidance removes the data entirely.
Q2. After implementing AES-256-CTR encryption and access controls on the Platform A database, what is the correct term for the remaining risk?
A) Residual Risk — the risk that remains after controls are applied; cannot be completely eliminatedRationale: Even the best controls leave some residual risk. After implementing encryption and access controls, there is still residual risk (e.g., insider threat, key management failure, zero-day exploits). The organization must formally accept this residual risk — it cannot be driven to zero.
Q3. The CTO identifies a risk and decides no additional controls are needed, but wants to ensure this decision is recorded. What must happen?
A) The risk acceptance must be formally documented and signed by the appropriate management authorityRationale: Risk acceptance is valid — but only if it is formally documented with the accepting manager named and signing off. Undocumented acceptance is effectively negligence. The risk register should capture: the risk description, why it's being accepted, who accepted it, and when it will be reviewed.
Q4. In the NIST Risk Management Framework, which step follows "Select" (selecting security controls)?
A) Implement — after selecting controls, they must be implemented in the systemRationale: NIST RMF order: Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor. After "Select" (choosing which controls to apply based on categorization), the next step is "Implement" (actually putting those controls in place). "Assess" comes later — it evaluates whether the implemented controls are working.
Q5. FinTech Company X purchases cyber insurance to cover the financial cost of a potential data breach. What type of risk treatment is this?
A) Risk Transfer — moves the financial impact of the risk to the insurance company; the risk itself still existsRationale: Cyber insurance is risk transfer (also called risk sharing). It moves the financial consequence of a breach to the insurer. Critically: the risk still exists — a breach can still happen. Insurance does not prevent incidents; it compensates for them. The organization must still maintain security controls to qualify for insurance and to actually prevent incidents.