Identify the processes that are currently being used to mitigate the vulnerability or threat. Mitigation categories refer to types of controls. The most common controls are:
Policy
Process
Management Practice
Guideline
Standard Operating Procedures (SOPs)
Other types include:
Technical Standard
Contract
Organization/Council
Training
Regulation
Software Tools
The assessment of current controls should review four key areas:
Are there controls in place for this vulnerability or threat? (i.e., Do they exist? )
Are these controls properly implemented? (i.e., Are they implemented everywhere they are required? Are they implemented consistently?)
Are the controls effective in managing the vulnerability or threat? Have the controls been effective in the past at addressing similar potential risks? Have the potential risks been realized (i.e., have the risks previously matured) in the past?
Are there safeguards or compensating controls in place to mitigate this vulnerability or threat? Have these been effective in the past?
Based on the effectiveness of existing controls and in light of the detailed review of vulnerabilities and threats, make recommendations on what else can be done to mitigate vulnerabilities and threats. Additional controls, new processes and/or new technology may be necessary. Obviously the final recommendations incorporated into the risk mitigation plan should present the options felt to offer the optimal value-added return on investment for the resources required and hence deliver the greatest impact to the business.
Once recommendations have been made for all risks, validate that they:
are consistent and will address the risks
will be acceptable to those, across all business areas, who will work with them on a day-to-day basis
do not contradict existing controls or cause negative effects outside the scope
are justified in terms of the anticipated costs, potential risk and the anticipated reward