Changes to a single system component causing the need for changes to the controls
The risk treatment actions involve the avoidance of risk, reduction, transfer, and acceptance. This sequence is a part of a larger cycle that includes establishing the context, identification of the risk, its evaluation, treatment, monitoring and review (Treat Risks, 2009).
The first component of the risk treatment framework (avoidance) refers to the decision not to go through with the procedures that may present a risk; the second one (reduction) stands for the minimization of the possibility of a risk in the future; the third component (transfer) involves outsourcing the potential risk to the other parties so that the risk outcomes affect the other areas; finally, the last component (acceptance) stands for the admission of risk as an existing factor whose level is monitored and taken under control (Treat Risks, 2009). When the changes are introduced to any of these elements of the system, the whole structure changes. For instance, when the stage of avoidance is not followed, the risk remains and keeps requiring new controls. The same happens when the second, third, and fourth steps are not addressed. In other words, the cycle remains incomplete and needs to be reevaluated with the addition of new or different control measures.
The necessity to modify the Cyber Insurance coverage in case of a change to a system component
Carter (2015) mentions an example of changing the cyber risk insurance policy for a purpose to add the aspects protecting the company and the employees from bodily injury and property damage. Such modification will expand the terms and conditions of the policy and introduce changes into the activities which the policy is expected to cover and respond to. The newly added aspects may contain potential threats to security. As a result, due to the change in one or more of the system components, the whole sequence of the risk treatment actions is to be re-visited to address the new dangers. Namely, the component of risk transfer is being adjusted due to the changes in the security insurance. The policy directly correlates with the component, and that is why the change in one of the elements will require the other party to be modified as well.
The application of pre- and post-implementation assessment when implementing a control
According to SANS Analyst Program, the controls may cover versatile dimensions such as the applications and the vulnerabilities of network and endpoint devices, malware defense, data protection, and the access and recovery (Hietala, 2013). For the information security professionals to choose which controls are the most applicable to the particular situations, they are to apply a pre-implementation assessment.
Also, after the control is in place, the specialists are to conduct another evaluation and make sure that the control fulfills its duties and objectives correctly. This activity is called a post-implementation assessment. During the control implementation, the professionals must use the results of the pre-implementation. Hietala (2013) also maintains that the networks become more resistant to the attacks when the controls of different types are in place. For example, the critical security controls may be added to the existing controls and strengthen the protection. One aspect the specialists are to take into consideration is that the controls should not clash with one another; otherwise, such contradictions may result in security risks and breaches.
Addressing the remaining risk after implementation of a new control and a post-implementation assessment
In a situation when the control has already been placed, but the post-implementation assessment reveals the risk persists, a professional has several primary options and actions to undertake. First of all, the existing risk should be assessed and evaluated; it is possible that the level of the risk is minor, and it can be accepted within the fourth component of the risk treatment action. Secondly, if the evaluation shows that the level of risk is too high and cannot be accepted, it is possible that the specialist’s choice of control was flawed. The newly placed control is to be re-visited for a purpose to identify its compatibility with the system and its needs.
If the control was chosen wrongly, the specialist is to follow the risk management framework once again to see which stages contain errors (the context establishment, identification of the risk, evaluation of the risk, its treatment, monitoring, and review) (Risk assessment and risk treatment, 2014). Also, the client is to decide, if the risk can be tolerated by their company or whether or not the risk should be treated. If all the steps were done correctly but the risk remains, it is important to perform a cost-benefit analysis and find out whether or not the risk can be addressed.
References
Carter, J. S. (2015). Does Your Company’s Cyber Risk Insurance Cover Cyber-Related Bodily Injury and Property Damage? Web.
Hietala, J. D. (2013). Implementing the Critical Security Controls. Web.
Risk assessment and risk treatment. (2014). Web.
Treat Risks. (2009). Web.