Organizations need to have defined processes in place for completing risk treatment and risk mitigation activities once a risk assessment has been completed. Without these processes, risks may be identified during risk assessments but never properly addressed or managed. Risk treatment and mitigation are the focus of Pitfall #12 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Risk treatment and risk mitigation actions should be prioritized based on the business importance or criticality of impacted systems, probability of risk impact, financial impact, reputational impact, or legal impact. The risk treatment process should determine all controls that are necessary to be implemented to address or mitigate risks. This process should result in a documented risk treatment plan. Once a risk treatment plan is developed, appropriate risk mitigation should occur to ensure that identified risks are effectively managed.
Risks should be managed in one of four ways:
· Risk Avoidance
· Risk Reduction
· Risk Transference
· Risk Acceptance
A documented process for risk mitigation should be developed. Your organization should define and document the criteria to be used to determine whether an identified risk will be avoided, reduced, transferred, or accepted. Overall risk mitigation decisions should include performing a cost-benefit analysis of the identified remediation activities or the implementation of countermeasures.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.