Risk mitigation

Definitions

Risk mitigation is

“

the selection and implementation of security controls to reduce the risk to a level acceptable to management, within applicable constraints.

”

“

[t]he identification of ways to minimize or eliminate project risks. Depending on the severity of the risk and the level of effort for the mitigation strategies, it may be appropriate to initiate several mitigation activities. In other cases, it may not be possible to mitigate a risk.[1]

”

“

reflect[s] an organizational perspective on what mitigations are employed and where the mitigations are applied to reduce risks to organizational operations and resources and to other organizations. Risk mitigation strategies are the primary link between organizational risk management programs and cybersecurity programs — with the former covering all aspects of managing risk and the latter being primarily a part of the risk response component of the RMP. Effective risk mitigation strategies consider the general placement and allocation of mitigations, the degree of intended mitigation, and cover mitigations at each tier.[2]

”

“

prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.[3]

”

Overview

Risk mitigation occurs after the risk assessment phase is complete. Risk mitigation encompasses the prioritization, evaluation, and implementation of appropriate security controls identified during the risk assessment phase.

In the risk mitigation phase, the organization identifies the types of controls that could be employed to reduce the level of risk to an acceptable level. These solutions may include management, operational, and/or technical controls. These controls may require the use of an IT security product. For instance, firewall and intrusion detection products are necessary elements of technical controls employed to limit the threats that can impact an organization’s IT infrastructure. Once an organization has decided to implement a security technology, it should evaluate existing products in the context of its own security architecture to determine the best option.

NIST Special Publication 800-30 identifies seven major activities to be conducted as part of the risk mitigation phase:

1. Prioritize actions
2. Evaluate recommended control options
3. Conduct a cost-benefit analysis
4. Select appropriate controls
5. Assign implementation responsibility
6. Develop an implementation plan
7. Implement selected controls.

References

1. California Office of Systems Integration, Definitions (full-text).
2. Electricity Subsector Cybersecurity Risk Management Process, App. G, at 84.
3. NIST Special Publication 800-30; CNSSI 4009.