Policies ensure that the organization is operating within its risk profile. Policies actually define, or are the expression of, the organization's risk tolerance.
When engaging in risk tolerance, people and business consider how far they will go in taking risk before the potential risk outweighs the opportunity.
It is also the CCSP's job to educate stakeholders about cloud computing risks and benefits so that they are better to make fact-based decisions as opposed to relying on hearsay and gossip.
The risk profile of the organization is a comprehensive analysis of the possible risks the organization is exposed to.
It is impossible to remove risk. Never believe anyone who says that something has "zero risk" or that a control offers "100 percent security." Even with all possible controls placed on a business function, there will still remain some level of risk; we call this "residual risk."
Reference from CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide
https://www.amazon.com/Certified-Cloud-Security-Professional-Official/dp/1119277418
沒有留言:
張貼留言