Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 68

As with any systems element and the systems themselves, risk mitigation and security controls have a lifecycle that they progress through, from initial observation and expression of a need through implementation, use, and replacement or retirement. More specifically, that lifecycle might include the following:

 Risk identification and characterization

 Vulnerability assessments, with links to specific risks

 Risk management planning decisions, on a per-risk basis, in terms of what to accept, transfer, treat, or avoid

 Risk mitigation decisions, including specifics as to the chosen controls and the anticipated residual risk after the controls are put into practice

 Success criteria, in operational terms, which indicate whether the control is successfully performing its functions

 Anticipated ongoing costs and efforts to use and maintain a set of controls

 End-user and support team training, including any requalification training, needed to keep the controls operating effectively

 Continuous, ongoing monitoring of operational use of the controls

 Ongoing periodic or random assessment, including penetration testing, aimed at assessing the controls

 Decisions to upgrade, replace, or completely retire a set of controls

As you'll see in Chapter 3, there are a number of information products generated by risk management and risk mitigation planning. Although they may be known by various names or be produced in many different formats, the core set of information includes the business impact analysis, risk assessment, risk mitigation plan, and the change management and baseline documentation for the chosen and implemented controls. These could include vendor-supplied manuals as well as your organization's own functional performance requirements allocated to a particular control.