3.2.1.3 Cyber Security Risk Response
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The cyber security risks of a Member Organization should be treated.
Objective
To ensure cyber security risks are treated (i.e., accepted, avoided, transferred or mitigated).
Control considerations
| 1. | The relevant determined cyber security risks should be treated according to the Member Organization’s risk appetite and cyber security requirements. | |||
| 2. | Cyber security risk response should ensure that the list of risk treatment options are documented (i.e., accepting, avoiding, transferring or mitigating risks by applying cyber security controls). | |||
| 3. | Accepting cyber security risks should include: | |||
| a. | the consideration of predefined limits for levels of cyber security risk; | |||
| b. | the approval and sign-off by the business owner, ensuring that: | |||
| 1. | the accepted cyber security risk is within the risk appetite and is reported to the cyber security committee; | |||
| 2. | the accepted cyber security risk does not contradict SAMA regulations. | |||
| 4. | Avoiding cyber security risks should involve a decision by a business owner to cancel or postpone a particular activity or project that introduces an unacceptable cyber security risk. | |||
| 5. | Transferring or sharing the cyber security risks should: | |||
| a. | involve sharing the cyber security risks with relevant (internal or external) providers; | |||
| b. | be accepted by the receiving (internal or external) provider(s); | |||
| c. | eventually lead to the actual transferring or sharing of the cyber security risk. | |||
| 6. | Applying cyber security controls to mitigate cyber security risks should include: | |||
| a. | identifying appropriate cyber security controls; | |||
| b. | evaluating the strengths and weaknesses of the cyber security controls; | |||
| 1. | assessing the cost of implementing the cyber security controls; | |||
| 2. | assessing the feasibility of implementing the cyber security controls; | |||
| 3. | reviewing relevant compliance requirements for the cyber security controls; | |||
| c. | selecting cyber security controls; | |||
| d. | identifying, documenting and obtaining sign-off for any residual risk by the business owner. | |||
| 7. | Cyber security risk treatment actions should be documented in a risk treatment plan. | |||