Security Risk Control
Assesses and prioritizes risks so that appropriate handling and monitoring activities can be put in place.
Capability Building Blocks
- C1Security Threat Profiling
- Gather intelligence on IT security threats and vulnerabilities to better understand the IT security threat landscape within which the organization operates – including, for example, the actors, scenarios, and campaigns that might pose a threat.
- C2Security Risk Assessment
- Identify exposures to security-related risks, and quantify their likelihood and potential impact.
- C3Security Risk Prioritization
- Prioritize information security risks and risk handling strategies based on residual risks and the organization’s risk appetite.
- C4Security Risk Handling
- Implement strategies for handling information security risk, including risk acceptance, transfer, absorption, and mitigation, as appropriate. Promote interaction with incident management functions.
- C5Security Risk Monitoring
- Manage the on-going efficacy of information security risk handling strategies and control options.