In the entire risk structure the only thing that DS as an organization can reliably affect is the Controls/Management aspect. All other aspects of the process are defined outside of DS. We need to identify them and can determine which are in context for us but we cannot change them. Within likelihood the threats are controlled by the originators of the threats. Vulnerabilities are a function of what we choose to use and though they can be fixed (and must be) more will continue to appear. Within Impact immediacy and significance are either inherent or defined by the business needs.
Controls are the key
Control Types – addresses the degree to which a control is effective for a given threat and at a given level of the controls hierarchy
There are two primary Control types. Preventive and Mitigating
Control types are complementary not exclusive
A given Control might be preventative at one layer of the controls hierarchy and mitigating at another
•Preventative controls stop the unwanted action from occurring.
•Passwords stop unauthorized from accessing a system.
•Patches prevent exploits from effecting a system
•One of the weaknesses for Preventative controls is that it is impossible to ensure 100% compliance and in isolation a breach allows full exploitation. (once they have root…)
•One of the strengths of Preventative controls is that when they work they completely eliminate the threat they are designed for
•Mitigating Controls limit the scope of an unwanted action and reduce its impact.
•Access Rights control where one can go once inside
•Approval limits minimize the amount of potential mistakes and malfeasance
•One of the weaknesses of mitigating controls is that they rarely completely stop a threat
•One of the strengths of mitigating controls is that they can be more easily and broadly implemented because they are less likely to impact business
More detail next post