Question

List and describe the five selecting control strategies for controlling
risk.

Answer 1

List and describe the five selecting control strategies for controlling risk.

Risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in the organization’s information systems The primary deliverable from risk assessment was a list of documented vulnerabilities, ranked by criticality of impact. When risks from information security threats are creating a competitive disadvantage the information technology and information security communities of interest control the risks.

An organization must choose four basic strategies to control risks such as risk avoidance, risk transference, risk mitigation and risk acceptance. Below these for basic strategies are explained in detail.

Risk avoidance is applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability. Risk avoidance can be achieved through training and education, and implementing technical security controls and safeguards. It can also be achieved through the use of policies. Risk avoidance identifies as many threats or vulnerabilities as possible and implement strategies to mitigate those threats, reducing the impact of an attack.

Risk transference is the shifting the risk to other areas or to outside entities. The overall goal is to allow someone else accept the risk. When looking at ways to transfer risk, I would evaluate things such as services. Many services can be outsources such as application services and IT services. An outside organization may be able to offer an experience in a certain areas to your organization that you simply cannot fill. Hiring an outside organization is transferring the risk to them for that development.

Risk mitigation is reducing the impact should the vulnerability be exploited. With risk mitigation it is the expectation that it is not a matter of if something happens, it is a matter of when. And when something does happen you want to have policies and procedures in place to mitigate that. These risk mitigation strategies include disaster recovery plans, incident response plans and business continuity plans.

Risk acceptance understands the consequences and accepts the risk without control or mitigation. There will always be risk. It is impossible to eliminate risk, so therefore there needs to be analysis of these things. This is achieved by determining the level of risk to the information. You also have to evaluate the probability of an attack verses the likelihood that that vulnerability will be exploited. Another way risk can be analyzed for risk acceptance is through evaluating the controls that are in place and ensuring that there are strong justifications for risk acceptance.

Termination control strategy  Instead of using a safeguard to protect an asset or deploying zero safeguards and accepting the risks to an asset, this strategy removes the asset from the environment with risks. An example of this strategy would be to remove a server from a network because the company has determined that termination of the resource outweighs the benefit of leaving it on the network due to risk concerns.