Risk Control Strategies
Avoidance
- Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability.
- This risk control strategy attempts to prevent the exploitation of the vulnerability.
- This strategy is accomplished by application of policy, application of training and education, countering threats and implementation of technical security controls and safeguards.
Transference
- Shifting the risk to other areas or to outside entities.
- This control approach attempts to shift the risk to other assets, other processes or other organizations.
- May be accomplished by rethinking how services are offered; revising deployment models, outsourcing to other organizations, purchasing insurance or implementing service contracts with providers.
Mitigation
- Reducing the impact if the vulnerability is exploited.
- This control approach attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability
- Types of mitigation plans
- Disaster recovery plan (DRP)
- Incident response plan (IRP)
- Business continuity plan (BCP)
Acceptance
- Understanding the consequences and accepting the risk without control or mitigation.
- The choice to do nothing to protect an information asset from risk and accept the loss when it occurs.
- Before using the acceptance strategy, the organization must:
- Determine the level of risk to the information asset
- Assess the probability of attack and the likelihood of a successful exploitation of a vulnerability
- Approximate the annual rate of occurance (ARO) of the exploit
- Estimate the potential loss from attacks
- Perform a thorough cost benefit analysis
- Evaluate controls using each appropriate type of feasibility analysis report
- Determine that particular function, service, information, or asset did not justify the cost of protection
