Risk Control Strategies

Once the ranked vulnerability risk worksheet has created, they should choose one of following 4 strategies to control each risk:
•    Apply safeguards which eliminates/ reduce the remaining uncontrolled risks for the vulnerability.
•    Transfer risk to other areas /to outside entities.
•    Reduce impact should the vulnerability be exploited.
•    Understand consequences and accept risk (acceptance) without control/mitigation.

Avoidance
•    Attempts to avoid exploitation of vulnerability
•    Preferred approach; accomplished through countering threats, restricting asset access, removing asset vulnerabilities, and adding protective safeguards
•    Three basic methods of risk avoidance:
1 Application of policy
2 Training and education
3 Applying technology

Transference
•    Control approach which attempts to shift risk to other assets, or organizations
•    If lacking, organization should hire individuals/firms which provide security management and administration expertise
•    Organization may then transfer risk related with management of complex systems to another organization experienced in dealing with the risks.

Mitigation

•    Attempts to reduce the impact of vulnerability exploitation through planning and preparation

•    Approach includes 3 types of plans:

1 Incident response plan (IRP)

2 Disaster recovery plan (DRP)

3 Business continuity plan (BCP)’

Acceptance

•    Not doing anything to protect vulnerability and accepting outcome of its exploitation
•    Valid when the particular function, information, or asset doesn’t justify cost of protection
•    Risk appetite describes the degree to which the organization is willing to allow risk as trade off to the expense for applying the controls.