The primary purpose of controls, countermeasures, and safeguards is to mitigate risk. Controls are implemented at a point in time to reduce the risks at that time. However, threats and vulnerabilities change, and, because they do, the effectiveness of the controls can change. Therefore, regularly assessing controls to ensure they are effective is important.

The effectiveness of a control can be measured by determining how well it meets its goals. A control will attempt to mitigate risk by:

• Reducing the impact of threats to an acceptable level—For example, the threat of a hurricane can’t be stopped, but a business continuity plan that identifies an alternate location for the business can reduce the threat.
• Reducing a vulnerability to an acceptable level—For example, some denial of service (DoS) attacks can take down unpatched servers. By keeping servers up to date with current patches, they are less vulnerable to known DoS attacks.

A risk assessment will evaluate the threats and vulnerabilities at a specific time and recommend controls based on the known risks when the assessment is performed. It should be repeated periodically.

Additionally, a risk assessment should be repeated if the control is changed. For example, if a hardware firewall is replaced with a different model, the original risk assessment is no longer valid and should be redone with the new firewall.