CCSK

Expand all | Collapse all

Risk Tolerance: Acceptable Risks

Jump to Best Answer
  • 1.  Risk Tolerance: Acceptable Risks

    Posted Dec 11, 2020 11:13:00 AM

    Hello!

    In 2.1.2 of the
    Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

    Thanks :)



    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Risk Tolerance: Acceptable Risks
    Best Answer

    Posted Dec 11, 2020 12:05:00 PM
    Much of the risk in the cloud can be seen as data driven. When an enterprise shifts to cloud, often times they don't have a set governance model around data classification models. Based on the application (consider slack versus email) they may be more willing to accept that they can't control content through slack, and will only focus more on user email ingoing and outgoing. Slack could still be a risk, but the business knows that more sensitive material is probably being distributed via email, so their focus shifts towards that asset first. This would require firewall configurations and whitelisting, as well as logging for emails that may contain sensitive material or PII.

    It is important to understand a business impact assessment (BIA) in this scenario. Every piece of technology (both cloud and on-prem) should be taken into account and given a rating of most critical to least critical. A business will probably have a lower risk tolerance for the more critical infrastructure.

    Another example is government regulations in respect to regional location for a business. It may be acceptable enough for a business who solely uses basic cloud services (small business) to not have to worry about the risk with compliance regulations due to the attestation reports and controls that the cloud provider offers. This is where the shared responsibility model plays a critical role.

    Hope some of this helps. If you have further questions let me know.

    ------------------------------
    Sean Heide
    Research Analyst
    CSA
    ------------------------------



  • 3.  RE: Risk Tolerance: Acceptable Risks

    Posted Dec 14, 2020 10:20:00 AM
    Thank you for your detailed response, this helps!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 4.  RE: Risk Tolerance: Acceptable Risks

    CSA Instructor
    Posted Dec 14, 2020 08:47:00 AM
    Example:
    Core banking system: low tolerance, lack of certifications unacceptable.
    Hot new startup for marketing intelligence system: high tolerance, willing to accept that the company goes out of business.

    Extreme examples, but I hope they make the point.

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------



  • 5.  RE: Risk Tolerance: Acceptable Risks

    Posted Dec 14, 2020 10:22:00 AM
    Thank you for these examples!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------