Risk Control Strategies
Once the ranked vulnerability risk worksheet has created, they should choose one of following 4 strategies to control each risk:
• Apply safeguards which eliminates/ reduce the remaining uncontrolled risks for the vulnerability.
• Transfer risk to other areas /to outside entities.
• Reduce impact should the vulnerability be exploited.
• Understand consequences and accept risk (acceptance) without control/mitigation.
Avoidance
• Attempts to avoid exploitation of vulnerability
• Preferred approach; accomplished through countering threats, restricting asset access, removing asset vulnerabilities, and adding protective safeguards
• Three basic methods of risk avoidance:
1 Application of policy
2 Training and education
3 Applying technology
Transference
• Control approach which attempts to shift risk to other assets, or organizations
• If lacking, organization should hire individuals/firms which provide security management and administration expertise
• Organization may then transfer risk related with management of complex systems to another organization experienced in dealing with the risks.
Mitigation
• Attempts to reduce the impact of vulnerability exploitation through planning and preparation
• Approach includes 3 types of plans:
1 Incident response plan (IRP)
2 Disaster recovery plan (DRP)
3 Business continuity plan (BCP)’
Acceptance
• Not doing anything to protect vulnerability and accepting outcome of its exploitation
• Valid when the particular function, information, or asset doesn’t justify cost of protection
• Risk appetite describes the degree to which the organization is willing to allow risk as trade off to the expense for applying the controls.