IT Examiner School, Seaside, CA

Question

What other information regarding residual risk would you want to see documented in a risk assessment or in a separate residual risk analysis?

Risk Assessment Guidance

• The Board is responsible for communicating their risk tolerance to management. • Effective risk assessments are done by qualified personnel, have executive-level ownership, and are enterprise-wide. • Risk acceptance decisions should be made at the Board and/or executive management level. • An effective risk assessment process includes identification of assets, threats, and vulnerabilities. • Review Board minutes for support for answers provided by management during discussions (approval/discussion of risk assessment findings, risk acceptance decisions, etc.).