Information Security Governance Papers
| Paper Title | Risk Mitigation |
|---|---|
| The Abstract of The Paper |
The second phase of the risk management process is risk mitigation. Because it is impractical, if not impossible, to eliminate all risk from a system, risk mitigation strives to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process based on the guidance provided in NIST SP 800-53.
System and organizational managers may use several options to reduce the risk to a system. These options are risk assumption; risk avoidance; risk limitation; risk planning, research, and acknowledgement; and risk transference. Figure 10-4 illustrates a straightforward strategy that can be used to determine whether risk mitigation actions are necessary. Working from each risk identified and analyzed in the first process—risk assessment—managers must then decide whether the risk is acceptable or unacceptable and, subsequently, whether to implement additional controls or not to mitigate unacceptable risks. The first decision box in the figure applies to those threats involving intentional attacks. Natural and unintentional human errors are not considered in this decision-making scheme because there are no associated costs to consider, and so the strategy progresses to the next decision box. |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |