Difference between revisions of "Residual Risk"

From CIPedia
Jump to navigation Jump to search
(Created page with "==Definitions== === Official European Definition === === Other International Definitions === ==== UNISDR ==== The risk that remains in unmanaged form, even when effective ...")
 
(Notes)
 
(53 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
==Definitions==
 
==Definitions==
=== Official European Definition ===
+
=== European Definitions ===
 
+
====[[ENISA]]====
 +
{{definition|''ENISA uses the ISO definition, see below.'' <ref name="ENISAGlos"> [http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-inventory/glossary ENISA Risk Glossary]</ref>}}<br />
  
 
=== Other International Definitions ===
 
=== Other International Definitions ===
==== UNISDR ====
+
==== [[UNDRR]] ====
The risk that remains in unmanaged form, even when effective [[disaster risk]] reduction [[measure|measures]] are in place, and for which [[emergency]] response and recovery capacities must be maintained <ref> [http://www.unisdr.org/files/7817_UNISDRTerminologyEnglish.pdf 2009 UNISDR Terminology on Disaster Risk Reduction]</ref>. According to UNISDR, the presence of residual risk implies a continuing need to develop and support effective capacities for [[emergency services]], [[preparedness]],
+
{{definition|The risk that remains in unmanaged form, even when effective [[Disaster Risk|disaster risk]] reduction [[measure|measures]] are in place, and for which [[emergency]] response and recovery capacities must be maintained. <ref> [http://www.unisdr.org/files/7817_UNISDRTerminologyEnglish.pdf 2009 UNISDR Terminology on Disaster Risk Reduction]</ref>}}
[[response]] and [[recovery]] together with socio-economic policies such as safety nets and [[risk transfer]] mechanisms.
+
<big>According to UNISDR, the presence of residual risk implies a continuing need to develop and support effective capacities for [[emergency services]], [[preparedness]],[[response]] and [[recovery]] together with socio-economic policies such as safety nets and [[Risk Transfer|risk transfer]] mechanisms.</big><br/><br/>
 +
{{definition|Risque résiduel: Les risques qui restent non gérés même si l’efficacité des mesures de réduction des risques de catastrophe est en place, et pour lesquels les interventions d’urgence et les capacités de récupération doivent être maintenues. <ref>[http://unisdr.org/files/7817_UNISDRTerminologyFrench.pdf UNISDR glossary]</ref>}}<br/>
 +
{{definition|Остаточный риск: Риск, который не поддается управлению даже после эффективной реализации мер по снижению риска, для противодействия которому необходимо сохранять потенциал реагирования и восстановления. <ref>[http://unisdr.org/files/7817_UNISDRTerminologyRussian.pdf UNISDR glossary]</ref>}}<br/>
 +
{{definition|Riesgo residual: El riesgo que todavía no se ha gestionado, aún cuando existan medidas eficaces para la reducción del riesgo de desastres y para los cuales se debe mantener las capacidades de respuesta de emergencia y de recuperación. <ref>[http://unisdr.org/files/7817_UNISDRTerminologySpanish.pdf UNISDR glossary]</ref>}}<br/>
 +
{{definition| المخاطر المتبقية : المخاطر التي لم يتم التحكم بها حتى بعد تطبيق الإجراءات  الفعالة للحد من مخاطر الكوارث، والتي يجب المحافظة معها على قدرات الاستجابة والتعافي في حالات الطوارئ.  <ref>[http://www.unisdr.org/files/7817_UNISDRTerminologyArabic.pdf UNISDR glossary]</ref>}}<br/>
 +
{{definition|Risiko Residual: Risiko yang tetap ada dalam bentuk yang tidak bisa dikelola, meskipun sudah ada langkahlangkah pengurangan risiko bencana yang efektif, dan yang mengharuskan tetap dijaganya kapasitas respons keadaan darurat dan  pemulihan. <ref>[http://www.preventionweb.net/files/7817_isdrindonesia.pdf UNISDR glossary in Bahasa]</ref>}}<br/>
 +
{{definition|Sisa Risiko:  Risiko yang tertinggal dalam bentuk yang tidak diuruskan, walaupun tindakan pengurangan risiko bencana dilaksanakan, dan oleh sebab itu, respon kecemasan serta kapasiti pemulihan perlu dikekalkan. <ref>[http://www.preventionweb.net/files/7817_isdrmalaysiaterminology.pdf UNISDR glossary in Malay]</ref>}}<br/>
 +
{{definition|Mga Labing (Tirang) Peligro: Ang nalalabing peligro sa di-napamahalaang anyo (porma), kahit na mayruong mga hakbang sa pagbabawas ng peligro ng kalamidad, ay pagkakalooban pa rin ng pangkagipitang pagtugon at ang mga kakayahan sa pagrekober ay mamantinihin. <ref>[http://www.preventionweb.net/files/7817_isdrphillipinesterminology.pdf UNISDR glossary in Tagalog]</ref>}}<br/>
 +
{{definition|残余风险 - 即使有效的减少灾害风险措施已经到位却仍然以无管控形式存在并需要维持 应急反应和复原能力的灾害风险。 <ref>[https://www.preventionweb.net/files/50683_oiewgreportenglish.pdf UNDRR Terminology on Disaster Risk Reduction in Chinese]</ref>}}<br/>
 +
{{definition|<ref>[https://www.preventionweb.net/files/7817_unisdr2009terminologypersianedition.pdf Internationally agreed glossary of basic terms related to Disaster Management in Farsi]</ref>ه خطرپذيري  باقيمانده<br/>خطرپذيري كه به صورت مديريت نشده باقي مي ماند، حتي در زماني كه اقدامات مربوط به كاهش خطرپذيري<br/>بحران به طور موثر و در جاي خود بكار روند و در اين موارد بايد واكنش در شرايط اضطراري و ظرفيت هاي<br/>بازتواني مد نظر قرار گيرد. }}<br/><br/>
  
 
=== National Definitions ===
 
=== National Definitions ===
<!--Test test test.-->
+
==== [[Argentina]] ====
 +
{{definition|Riesgo residual: El riesgo que todavía no se ha gestionado, aun cuando existan medidas eficaces para la reducción del riesgo de desastres y para los cuales se debe mantener las capacidades de respuesta de emergencia y de recuperación.  <ref>[http://servicios.infoleg.gob.ar/infolegInternet/anexos/240000-244999/242082/norma.htm SUBSECRETARÍA DE PROTECCIÓN CIVIL Y ABORDAJE INTEGRAL DE EMERGENCIAS Y CATÁSTROFES (1/2015)]</ref>}}<br/><br/> 
 +
 
 +
 
 +
==== [[Australia]] ====
 +
{{definition|Residual risk: The remaining level of [[risk]] after any risk treatments have been implemented. <ref>[https://www.protectivesecurity.gov.au/resources/Pages/PSPF-Glossary-of-terms.aspx  Protective Security Policy Framework - Glossary Oct 2017]</ref>}}<br/><br/>
 +
====[[Belgium]]====
 +
{{definition|Restrisico’s zijn de risico’s die blijven bestaan na de risicobehandeling of, anders gezegd, nadat beschermingsmaatregelen werden ingevoerd. <ref>[https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/nota_beveiliging_van_persoonsgegevens.pdf Gegevensbeschermingsautoriteit]</ref>}}<br/><br/>
 +
 
 +
==== [[Canada]] ====
 +
{{definition|Residual risk: The [[likelihood]] and [[impact]] of a [[threat]] that remains after security controls are implemented. <ref>[https://www.cyber.gc.ca/en/glossary Glossary - Canadian Centre for Cyber Security]</ref><br/><br/>Risque résiduel: Le degré de probabilité et les répercussions potentielles d'une menace qui subsistent après la mise en application des contrôles de sécurité. <ref>[https://www.cyber.gc.ca/fr/glossaire Glossaire - Centre Canadien pour la Cybersécurité]</ref>}}
 +
<br/>
 +
{{definition|Residual risk: risk that remains after implementing risk mitigation measures.<br/><br />Risque résiduel: risque qui subsiste après l’application de mesures d’atténuation du risque. <ref name="canada_fr">[http://publications.gc.ca/collections/collection_2012/tpsgc-pwgsc/S52-2-281-2012.pdf Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)]</ref>}}<br /><br/>
 +
{{definition|Risque résiduel: risque qui subsiste après la mise en œuvre de mesures de réduction des conséquences et des fréquences d’occurrence des accidents potentiels. <ref name="canada">[http://www.mddelcc.gouv.qc.ca/evaluations/documents/guide-risque-techno.pdf Guide Analyse de risques d'accidents technologiques majeurs (2002)]</ref>}}<br /><br/>
 +
 
 +
==== [[Colombia]] ====
 +
{{definition|Riesgo Residual: Remanente después del Tratamiento del Riesgo. (GTC137 2011). Es aquel que permanece aún después de desarrolladas las acciones de tratamiento del riesgo.  <ref>[https://www.policia.gov.co/glosario Glosario Policia Colombia]</ref>}}Capacidad total de riesgo que una organización está dispuesta a aceptar, tolerar o asumir en cualquier momento dado.<br /><br/>
 +
==== [[Czech Republic]] ====
 +
{{definition| Zbytkové riziko: Riziko, které zůstává i po aplikaci příslušných opatření. <ref>[http://www.govcert.cz/download/nodeid-561  Výkladový slovník kybernetické bezpečnosti (2013)]</ref> <br/><br/> Residual risk is the [[risk]] remaining even after an application of the appropriate [[measure|measures]]. <ref> [http://www.govcert.cz/download/nodeid-561  Výkladový slovník kybernetické bezpečnosti (2013)]</ref>}}<br/>
 +
==== [[Japan]] ====
 +
{{definition|残存リスク: 対策が適用された後に残るリスク. <br/><br/>The risk that remains after countermeasures have been applied. <ref>[http://www.ipa.go.jp/security/rfc/RFC2828EN.html  RFC2828 (Japanese translation) ]</ref>}}<br/><br/>
 +
==== [[Luxembourg]] ====
 +
{{definition|Risque résiduel: Risque subsistant après le traitement des risques.  <ref>[https://cybersecurite.public.lu/fr/glossaire.html Glossaire]</ref>}}<br/><br/>
 +
 
 +
==== [[Philippines]] ====
 +
{{definition|Residual Risk: The remaining potential risk after all IT security measures are applied. <ref>[http://www.dnd.gov.ph/miss/PDF/downloadables/Cybersecurity%20Glossary%20(Edited).pdf DND GLOSSARY OF CYBER SECURITY TERMS (v.4)]</ref>}}<br/>
 +
{{definition|Residual Risk: The level of risk that remains after all efforts to mitigate and eliminate risk have been made.  <ref>[https://digital.nhs.uk/services/data-and-cyber-security-protecting-information-and-data-in-health-and-care/cyber-and-data-security-policy-and-good-practice-in-health-and-care/cyber-and-data-security-resources/cyber-security-glossary NHS Cyber security glossary]</ref>}}<br/><br/>
 +
 
 +
====[[Portugal]] ====
 +
{{definition|[Definição]Risco Residual: Risco que permanece após terem sido aplicadas medidas de segurança, dado que não é possível neutralizar todas as ameaças nem eliminar todas as vulnerabilidades.  <ref>[https://www.cncs.gov.pt/recursos/glossario/ Glossário Centro National de Cibersegurança Portugal]</ref>}}<br /><br/>
 +
==== [[Switzerland]]====
 +
{{definition|Restrisiko bezeichnet das [[Risk|Risiko]], das nach Realisierung aller vorgesehenen Sicherheitsmassnahmen weiterhin verbleibt. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/gefaehrdungen-risiken.parsysrelated1.62085.downloadList.63404.DownloadFile.tmp/20130422glossarde.pdf Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013]</ref><br/><br/>On entend par « risque résiduel » le [[Risk|risque]] qui subsiste une fois que toutes les mesures de sécurité prévues ont été mises en oeuvre. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/fr/home/themen/gefaehrdungen-risiken.parsysrelated1.83210.downloadList.55257.DownloadFile.tmp/20130422glossarfr.pdf Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013]</ref><br/><br/>È il [[Risk|rischio]] che rimane dopo l'adozione di tutte le misure di sicurezza previste. <ref>[http://www.bevoelkerungsschutz.admin.ch/internet/bs/it/home/themen/gefaehrdungen-risiken.parsysrelated1.49227.downloadList.52339.DownloadFile.tmp/20130422glossarit.pdf Glossario sui rischi, Ufficio federale della protezione della popolazione UFPP, 29.4.2013]</ref>}} <br/><br/>
  
===Standard Definition===
 
  
 +
==== [[United States]] ====
 +
=====[[DHS]]=====
 +
{{definition|Residual risk is [[risk]] that remains after [[Risk Management|risk management]] [[Measure|measures]] have been implemented. <ref name="DHSLex"> [http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf DHS Risk Lexicon 2010 Edition, September 2010]</ref>}}<br />
 +
 +
=====[[NIST]]=====
 +
{{definition|The potential for the occurrence of an adverse [[event]] after adjusting for the impact of all in-place safeguards.  (from: NIST SP 800-16) <ref name=NIST>[https://csrc.nist.gov/Glossary NIST Glossary]</ref>}}<br/>
 +
{{definition|The remaining potential [[risk]] after all IT security measures are applied.  (from: NIST SP 800-16) <ref name=NIST>[https://csrc.nist.gov/Glossary NIST Glossary]</ref>}}There is a Residual risk associated with each [[threat]]. <br/>
  
 +
===Standard Definition===
 +
====[[IETF]]====
 +
{{definition|The portion of an original [[risk]] or set of risks that remain after [[Countermeasure|countermeasures]] have been applied. <ref name="IETFrefs">[https://tools.ietf.org/html/rfc4949 IETF RFC449 Internet Security Glossary 2]</ref>}}<br />
 +
==== [[ISO|ISO/IEC 27000:2014 and ISO 31000:2009]] ====
 +
{{definition|Residual risk is the [[Risk|risk]] remaining after [[Risk Treatment|risk treatment]]. <ref name="ISO27000-14"> [http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=63411 ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary]</ref> <ref name="ISO31000-09"> [http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 ISO/IEC 31000:2009, Risk management -- Principles and guidelines]</ref>}}
 +
<big>
 +
* Residual risk can contain unidentified risk.
 +
* Residual risk can also be known as “retained risk”.</big><br />
  
 
==See also==
 
==See also==
Line 19: Line 74:
  
 
==Notes==
 
==Notes==
<references />
 
  
<!--
 
 
==References==
 
==References==
* Test reference. -->
+
<references />
  
[[Category:Main]]
+
[[Category:Risk]]
 +
{{#set:defined by=ENISA|defined by=UNDRR|defined by=Argentina|defined by=Australia|defined by=Belgium|defined by=Canada|defined by=Colombia|defined by=Czech Republic|defined by=Japan|defined by=Luxembourg|defined by=Philippines|defined by=Portugal|defined by=Switzerland|defined by=United States|defined by=ISO|defined by=IETF|defined by=DHS|defined by=NIST}}
 +
{{#set: Showmainpage=Yes}}

Latest revision as of 12:34, 15 August 2022

Definitions

European Definitions

ENISA

ENISA uses the ISO definition, see below. [1]


Other International Definitions

UNDRR

The risk that remains in unmanaged form, even when effective disaster risk reduction measures are in place, and for which emergency response and recovery capacities must be maintained. [2]

According to UNISDR, the presence of residual risk implies a continuing need to develop and support effective capacities for emergency services, preparedness,response and recovery together with socio-economic policies such as safety nets and risk transfer mechanisms.

Risque résiduel: Les risques qui restent non gérés même si l’efficacité des mesures de réduction des risques de catastrophe est en place, et pour lesquels les interventions d’urgence et les capacités de récupération doivent être maintenues. [3]


Остаточный риск: Риск, который не поддается управлению даже после эффективной реализации мер по снижению риска, для противодействия которому необходимо сохранять потенциал реагирования и восстановления. [4]


Riesgo residual: El riesgo que todavía no se ha gestionado, aún cuando existan medidas eficaces para la reducción del riesgo de desastres y para los cuales se debe mantener las capacidades de respuesta de emergencia y de recuperación. [5]


المخاطر المتبقية : المخاطر التي لم يتم التحكم بها حتى بعد تطبيق الإجراءات الفعالة للحد من مخاطر الكوارث، والتي يجب المحافظة معها على قدرات الاستجابة والتعافي في حالات الطوارئ. [6]


Risiko Residual: Risiko yang tetap ada dalam bentuk yang tidak bisa dikelola, meskipun sudah ada langkahlangkah pengurangan risiko bencana yang efektif, dan yang mengharuskan tetap dijaganya kapasitas respons keadaan darurat dan pemulihan. [7]


Sisa Risiko: Risiko yang tertinggal dalam bentuk yang tidak diuruskan, walaupun tindakan pengurangan risiko bencana dilaksanakan, dan oleh sebab itu, respon kecemasan serta kapasiti pemulihan perlu dikekalkan. [8]


Mga Labing (Tirang) Peligro: Ang nalalabing peligro sa di-napamahalaang anyo (porma), kahit na mayruong mga hakbang sa pagbabawas ng peligro ng kalamidad, ay pagkakalooban pa rin ng pangkagipitang pagtugon at ang mga kakayahan sa pagrekober ay mamantinihin. [9]


残余风险 - 即使有效的减少灾害风险措施已经到位却仍然以无管控形式存在并需要维持 应急反应和复原能力的灾害风险。 [10]


[11]ه خطرپذيري باقيمانده
خطرپذيري كه به صورت مديريت نشده باقي مي ماند، حتي در زماني كه اقدامات مربوط به كاهش خطرپذيري
بحران به طور موثر و در جاي خود بكار روند و در اين موارد بايد واكنش در شرايط اضطراري و ظرفيت هاي
بازتواني مد نظر قرار گيرد.



National Definitions

Argentina

Riesgo residual: El riesgo que todavía no se ha gestionado, aun cuando existan medidas eficaces para la reducción del riesgo de desastres y para los cuales se debe mantener las capacidades de respuesta de emergencia y de recuperación. [12]




Australia

Residual risk: The remaining level of risk after any risk treatments have been implemented. [13]



Belgium

Restrisico’s zijn de risico’s die blijven bestaan na de risicobehandeling of, anders gezegd, nadat beschermingsmaatregelen werden ingevoerd. [14]



Canada

Residual risk: The likelihood and impact of a threat that remains after security controls are implemented. [15]

Risque résiduel: Le degré de probabilité et les répercussions potentielles d'une menace qui subsistent après la mise en application des contrôles de sécurité. [16]


Residual risk: risk that remains after implementing risk mitigation measures.

Risque résiduel: risque qui subsiste après l’application de mesures d’atténuation du risque. [17]



Risque résiduel: risque qui subsiste après la mise en œuvre de mesures de réduction des conséquences et des fréquences d’occurrence des accidents potentiels. [18]



Colombia

Riesgo Residual: Remanente después del Tratamiento del Riesgo. (GTC137 2011). Es aquel que permanece aún después de desarrolladas las acciones de tratamiento del riesgo. [19]

Capacidad total de riesgo que una organización está dispuesta a aceptar, tolerar o asumir en cualquier momento dado.

Czech Republic

Zbytkové riziko: Riziko, které zůstává i po aplikaci příslušných opatření. [20]

Residual risk is the risk remaining even after an application of the appropriate measures. [21]


Japan

残存リスク: 対策が適用された後に残るリスク.

The risk that remains after countermeasures have been applied. [22]



Luxembourg

Risque résiduel: Risque subsistant après le traitement des risques. [23]



Philippines

Residual Risk: The remaining potential risk after all IT security measures are applied. [24]


Residual Risk: The level of risk that remains after all efforts to mitigate and eliminate risk have been made. [25]



Portugal

[Definição]Risco Residual: Risco que permanece após terem sido aplicadas medidas de segurança, dado que não é possível neutralizar todas as ameaças nem eliminar todas as vulnerabilidades. [26]



Switzerland

Restrisiko bezeichnet das Risiko, das nach Realisierung aller vorgesehenen Sicherheitsmassnahmen weiterhin verbleibt. [27]

On entend par « risque résiduel » le risque qui subsiste une fois que toutes les mesures de sécurité prévues ont été mises en oeuvre. [28]

È il rischio che rimane dopo l'adozione di tutte le misure di sicurezza previste. [29]




United States

DHS
Residual risk is risk that remains after risk management measures have been implemented. [30]


NIST
The potential for the occurrence of an adverse event after adjusting for the impact of all in-place safeguards. (from: NIST SP 800-16) [31]


The remaining potential risk after all IT security measures are applied. (from: NIST SP 800-16) [31]

There is a Residual risk associated with each threat.

Standard Definition

IETF

The portion of an original risk or set of risks that remain after countermeasures have been applied. [32]


ISO/IEC 27000:2014 and ISO 31000:2009

Residual risk is the risk remaining after risk treatment. [33] [34]

  • Residual risk can contain unidentified risk.
  • Residual risk can also be known as “retained risk”.

See also

Notes

References

  1. ENISA Risk Glossary
  2. 2009 UNISDR Terminology on Disaster Risk Reduction
  3. UNISDR glossary
  4. UNISDR glossary
  5. UNISDR glossary
  6. UNISDR glossary
  7. UNISDR glossary in Bahasa
  8. UNISDR glossary in Malay
  9. UNISDR glossary in Tagalog
  10. UNDRR Terminology on Disaster Risk Reduction in Chinese
  11. Internationally agreed glossary of basic terms related to Disaster Management in Farsi
  12. SUBSECRETARÍA DE PROTECCIÓN CIVIL Y ABORDAJE INTEGRAL DE EMERGENCIAS Y CATÁSTROFES (1/2015)
  13. Protective Security Policy Framework - Glossary Oct 2017
  14. Gegevensbeschermingsautoriteit
  15. Glossary - Canadian Centre for Cyber Security
  16. Glossaire - Centre Canadien pour la Cybersécurité
  17. Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
  18. Guide Analyse de risques d'accidents technologiques majeurs (2002)
  19. Glosario Policia Colombia
  20. Výkladový slovník kybernetické bezpečnosti (2013)
  21. Výkladový slovník kybernetické bezpečnosti (2013)
  22. RFC2828 (Japanese translation)
  23. Glossaire
  24. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  25. NHS Cyber security glossary
  26. Glossário Centro National de Cibersegurança Portugal
  27. Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013
  28. Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013
  29. Glossario sui rischi, Ufficio federale della protezione della popolazione UFPP, 29.4.2013
  30. DHS Risk Lexicon 2010 Edition, September 2010
  31. 31.0 31.1 NIST Glossary
  32. IETF RFC449 Internet Security Glossary 2
  33. ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
  34. ISO/IEC 31000:2009, Risk management -- Principles and guidelines