Risk Mitigation refers to the actions designed to counter identified threats. These actions are also referred to as controls and as with information system threats, there are numerous frameworks for categorizing the various controls intended to avoid system failure or compromise. A framework that we have found to be both comprehensive and comprehensible divides mitigation controls into three broad categories:
- Management controls: managerial processes which identify organizational requirements for system confidentiality, integrity and availability and establish the various management controls intended to ensure that those requirements are satisfied.
- Operational controls: include day-to-day processes more directly associated with the actual delivery of the information services.
- Technical controls: technical capabilities incorporated into the IT infrastructure specifically to support increased confidentiality, integrity and availability of information services.
The remaining sections of this chapter present a general overview of managerial, operational controls and a subset of technical controls (technology investments associated primarily with improving system availability in the face of non-malicious threats. Technical controls associated with malicious threats are addressed in Chapter ?? on security.
- 1793 reads
