Reading time: 3 Minutes
Written by Aaron Nolan
Risk mitigation is the process of lessening the effect of incidents through the implementation of security controls. The entire idea behind risk mitigation is putting mechanisms in place to reduce risk to the organisation. In this article, we will be talking about IT Security Controls and their role and characteristics in business.
Many different types of controls can be implemented to mitigate risk. Risk controls can be physical, technical or administrative and they can act proactively or reactively. After the risk analysis element of the risk management process, many companies struggle to implement the correct or sufficient controls due to their lack of knowledge on IT Security. Choosing the wrong type or an unnecessary control can be a costly decision for the organisation.
The organisation’s governance structure is responsible for the risk within the company. Many organisations do not have in-house IT knowledge or expertise, and therefore many mature organisations consult an independent third party to assess the mitigating controls available for each risk.
At the mitigation point of the risk management process, an organisation should have the scope of their entire business in an Asset Register. The organisation should have completed a threat model against each one of these assets, with the likelihood and impact of their risks analysed, to then document the exposure. If you’re not familiar with these procedures, take the time to read our articles above.
The organisation should have documented an acceptable level of risk in each area of the business based on its criticality. The exposure to each asset should have then been accepted, avoided, transferred or marked for mitigation.
To learn more about these different ways to address risk, read:
Developing an Action Plan to Address Technology Risk.
The list of risks to be mitigated is the outstanding exposure that requires IT Security controls to be implemented. Having an acceptable level of risk and an understanding of the criticality of each business functions allows the organisation to make an informed decision on what security controls to implement.
The phrase security control is sometimes used interchangeably with Safeguard or Counter Measure. There are many different types of security controls, and they can be broken down into Proactive and Reactive controls.
Deterrent and preventive control are types of proactive controls as they are in place before an incident occurs. Examples of Deterrent controls are banner messages on servers, employee code of conduct in contracts and high perimeter walls around your premises.
The idea of a deterrent control is, as the name suggests, to deter the threat. Preventive controls are mechanisms like firewall rules, Intrusion Prevention Systems (IPS) and physical locks on secure rooms. The idea of preventive control is to stop the threat from occurring at all.
Detective, compensative, corrective and recovery controls are all types of reactive controls because, at this stage, the incident has already occurred. Detectives controls are Malware anti-virus, Intrusion Detection Systems (IDS) and CCTV systems. The reason for detection systems is to alert when an intrusion has occurred or been detected.
Examples of compensative controls are Insurance (Cyber/Premises) or having an alternative site available (Hot/Cold Site). Compensative controls are used to protect the organisation after a vulnerability has been exploited.
Corrective and recovery controls are backups, electronic journaling or data archiving. These controls are to bring the business back to its natural state of operation.
Whichever security controls you choose to implement should be driven from the risk analysis that has been carried out. These security controls should be cost-effective but also appropriate to the level of security required to protect the resources. The organisation must continually manage and monitor security controls to ensure sufficient security governance.
The essential part of risk management is understanding your risk. The organisation’s governance structure should be aware of the threat before and after a control has been implemented. If the company does not have in-house IT knowledge or expertise and cannot make an informed decision on their risk, they should consult an independent 3rd party expert in IT and risk management.
Once the risks are mitigated, the organisation should be able to accept any residual risk. The risk management process should give the company a baseline to work from or put them in a position to implement a framework, allowing to drive security policy from the governance structure down.