The primary purpose of controls, countermeasures, and safeguards is to mitigate risk. Controls are implemented at a point in time to reduce the risks at that time. However, threats and vulnerabilities change, and, because they do, the effectiveness of the controls can change. Therefore, regularly assessing controls to ensure they are effective is important.
The effectiveness of a control can be measured by determining how well it meets its goals. A control will attempt to mitigate risk by:
A risk assessment will evaluate the threats and vulnerabilities at a specific time and recommend controls based on the known risks when the assessment is performed. It should be repeated periodically.
Additionally, a risk assessment should be repeated if the control is changed. For example, if a hardware firewall is replaced with a different model, the original risk assessment is no longer valid and should be redone with the new firewall.
The terms countermeasure, safeguard, and control are used interchangeably. Each is used to mitigate risk.
18.191.78.136