Best Practices for Risk Mitigation Security Controls
The following list identifies several best practices that can be followed when identifying risk mitigation security controls:
Ensuring the control is effective—The control should be able to reduce or eliminate a threat or vulnerability, which it does by preventing, recovering, and/or detecting events.
Reviewing controls in all areas—Review procedural, technical, and physical controls. Focusing on controls in one area and neglecting controls in other areas is easy to do.
Reviewing NIST SP 800-53 families—These families provide an excellent check to determine whether controls are implemented throughout the IT infrastructure.
Redoing a risk assessment if a control has changed—A risk assessment is performed at a point in time. If the control has changed, the risk assessment needs to be redone using the new control.