- Stay within scope—The mitigation plan is derived from the risk assessment. In other words, the scope of the mitigation plan should not go outside the scope of the risk assessment. If you don’t manage the scope, the costs can easily get out of countermeasure.
- Redo CBAs if new costs are identified—You commonly complete a cost-benefit analysis for a countermeasure as part of the risk assessment. If the CBA identifies any costs that weren’t identified in the original CBA, the accuracy of the CBA is in question. You should redo the CBA with the accurate costs.
- Prioritize countermeasures—You should prioritize countermeasures based on their importance. A common way to identify the high-priority countermeasures is by scoring them with a threat/vulnerability matrix. You should implement high-priority countermeasures first.
- Include current countermeasures in analysis—When scoring countermeasures, ensure that current countermeasures are considered. For example, a threat may have a high impact but an in-place countermeasure has reduced this to a low impact. When evaluating a threat, consider the in-place countermeasure and assign a low impact to the threat.
- Control costs—Costs should stay within the allocated budget. Any change in the costs can affect the CBA. If additional costs are too high, the value of the counter-measure may be significantly reduced.
- Control the schedule—When the schedule is delayed, costs frequently go up. Also, remember that the countermeasure is mitigating a risk. Additionally, the longer the implementation is delayed, the longer the organization remains at risk.
- Follow up—Ensure that approved countermeasures have been implemented. Additionally, ensure that the countermeasures mitigate the risk as expected.
Summarized from the book Risk List and Control - Darril Gibson
Darril Gibson is the CEO of Security Consulting and Training, LLC. He regularly teaches, writes, and consults on a wide variety of security and technical topics. He’s been a Microsoft Certified Trainer for more than 10 years and holds several certifications, including MCSE, MCDBA, MCSD, MCITP, ITIL v3, Security , and CISSP. He has authored, coauthored, or contributed to 10 books including the successful Security : Get Certified, Get Ahead.
No comments:
Post a Comment