Ranking or prioritizing hazards is one way to help determine which risk is the most serious and thus which to control first. Priority is usually established by taking into account the employee exposure and the potential for incident, injury or illness. By assigning a priority to the risks, you are creating a ranking or an action list. Show
There is no one simple or single way to determine the level of risk. Nor will a single technique apply in all situations. The organization has to determine which technique will work best for each situation. Ranking hazards requires the knowledge of the workplace activities, urgency of situations, and most importantly, objective judgement. For simple or less complex situations, an assessment can literally be a discussion or brainstorming session based on knowledge and experience. In some cases, checklists or a probability matrix can be helpful. For more complex situations, a team of knowledgeable personnel who are familiar with the work is usually necessary. As an example, consider this simple risk matrix. Table 1 shows the relationship between probability and severity. Severity ratings in this example represent:
Probability ratings in this example represent:
The cells in Table 1 correspond to a risk level, as shown in Table 2. These risk ratings correspond to recommended actions such as:
Let's use an example: When painting a room, a step stool must be used to reach higher areas. The individual will not be standing higher than 1 metre (3 feet) at any time. The assessment team reviewed the situation and agrees that working from a step stool at 1 m is likely to:
When compared to the risk matrix chart (Table 1), these values correspond to a low risk. The workplace decides to implement risk control measures, including the use of a stool with a large top that will allow the individual to maintain stability when standing on the stool. They also determined that while the floor surface is flat, they provided training to the individual on the importance of making sure the stool's legs always rest on the flat surface. The training also included steps to avoid excess reaching while painting. What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?The recognition, enumeration and documentation of risks to an organization's information assets is known as risk control. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization, is known as exploit assessment.
What is the term that indicates the probability that a specific vulnerability within an organization will be successfully attacked?Likelihood is the overall rating of the probability that a specific vulnerability will be exploited or attacked. T/F. True. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair. T/F.
Is the process of preventing the financial impact of an incident by implementing a control?Cost mitigation is the process of preventing the financial impact of an incident by implementing a control. The most common example of a mitigation procedure is a contingency plan.
Which is more important to the information asset classification scheme that it be comprehensive or that it be mutually exclusive?Which is more important to the information asset classification scheme: that it be comprehensive or that it be mutually exclusive? Answer: A comprehensive information asset classification scheme is more desirable because it implies that all assets will be included, even if they appear in more than one location.
|