We can also avoid risk, eliminate the entire situation that's causing the risk by simply saying hey, guess what? Not interested. Take your risk somewhere else, we don't want it here. We're not going to engage in that behavior that leads to the risk. We're not going to allow that system to be brought online. We're not going to operate that particular system in that way, so we're going to avoid the risk entirely. That is a possibility. We could disable system functionality. We could prevent risky activity by blocking it from occurring. There's a lot of things we can do to do risk, or engage in risk avoidance. We also can accept risk, right? Acceptance of risk is a strategy that indicates that the organization is going to take on certain risks. Operate knowing that the possibility, the likelihood exists that the risk will effectively become real, and we may have an impact as a result, but we're willing to do that. We often call that the cost of doing business, right? And so when we accept risk we're accepting a certain amount of liability, and a certain amount of likelihood or probability that the impact associated with that risk is going to occur at some point. So we can transfer, we can mitigate, we can avoid, we can accept. Make sure you know the four ways. Establish mechanisms for dealing with risk. You out there, I'm talking to you, very important. Make sure you know the four ways that you can accept, mitigate, transfer, and/or avoid risk. Very important. All right, Risk Treatment Review Activity. We always have some questions and go over some things after we've talked about them. No exceptions, this time we've got five. Let's take a look at what they are. I'll give you a quiet minute, let you ponder these. When you're done, you come back, you've got some answers for me. Let's make sure we go through them together. Let's take a look at what those answers look like, and make sure we know what they are. Let's start with question number 1, question number 2, you see them on the screen in front of you. What risk treatment strategies are available? Well, we just talked about those. I said you should know what they are. Risk mitigation, transference, avoidance, and/or acceptance. Remember, no prioritized order here. It doesn't matter what we do, we just gotta figure out which one of the four, or which combination of the four we're going to use. But they're all equally important, we want to make sure we know that. What is risk mitigation? We know risk mitigation is all about reduction of risk. We usually will implement technical, managerial, and/or operational controls to achieve that reduction. Number 3, what is the key to control selection? Well, the key to control selection is cost effectiveness, and relevancy based on the risk or the threat that we are trying to address. Is audit logging a preventive or detective control? Audit logging is a detective control. Is a firewall a preventive or detective control? It is a preventive control. You want to classify certain controls as detective, preventive, corrective, etc. You want to make sure you know how to do that. We have had that conversation in one of our prior areas of knowledge, and I would encourage you to go back and to take a look at that information if you need to. But we did go through how to classify controls, and have had that conversation already. All right, so we've gone through our Risk Treatment Review Activity. We've gone through our questions, gone through our answers. We still have some additional material to go through in order to round out our conversations on the first part of our risk discussions. We have talked about audits and audit findings, so let's go through and have that conversation now. Auditing is the idea that we could come through and look at the current state of a system, the as-is state, and compare it against what we think the system should be doing. We can use a baseline, or some sort of template as the standard, and we can measure what is currently happening. And if the two are compared and they match one another, five fingers on each hand, no problem. But if the as-is state is going to somehow look different than what we think it should look like, one finger versus five, right? It looks like we have a variance, a gap of four things that are not happening. Those four things are findings in an audit, and we have to specify what they are. We have to make the owner of the system aware of the issue, what we call the gap or the delta. And we then have to take steps to remediate, to deal with or somehow fix those gaps and get rid of them, right? One at a time, and knock them down so that they go away. This is the idea behind an audit. An audit finding is the outcome of the audit. It's the report that we give you that says hey, everything is good. Or hey, everything is not so good, and then we've gotta go and figure out what we're going to do. So audit findings are effectively going to allow us to emphasize where things are being done right. But also point out where things are not being done well, and things that you have to go back and remediate or fix. Auditing can be done internally or externally. We have internal auditors in some companies and some entities. We have external auditors that can be brought in. Typically, companies will go through at least one external audit a year. Especially if they're regulated by the government, in whatever venue that may occur. If they are regulated due to some sort of law, Sarbanes–Oxley, HIPAA, whatever, you're going to go through at least one external audit a year. The banking and financial services industry is going to be audited all the time. Biopharmaceutical companies are audited all the time, so this is not uncommon by any means. So we may have internal auditing and internal risk management, or an internal audit division that does spot checking, pre-audit work throughout the year. And then we bring in an auditing firm that specializes in the kind of industry we're in, and they do the external audit that's official, that goes on the books that we use to certify compliance. We may do both.
