Then review the mitigation options and determine appropriateness:
Many times, several lower cost controls can be combined to yield better risk reduction than one complex expensive control.
It is essential that management support processes and set the proper “tone” so controlled processes are honored. Dr. Deming would emphasize there are only two outcomes to processes—you either follow them or formally change them.
Process designs that embody proper controls can yield operational, security and regulatory compliance benefits. To be effective and efficient, they must be implemented on the basis of risk such that the controls used reduce the risks to objectives to an acceptable level.
Risk mitigation beyond that point can result in needlessly expensive processes that are too complex for people to sustain in the long-term. Processes need to be designed with these requirements taken into consideration to yield not only controlled processes but, even more importantly, controlled processes that can actually be sustained over the long-term.
George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George’s professional focus is on compliance, security, management and overall process improvement.