Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Step 8 – Select Mitigation Approach<br />
BACKGROUND AND NOTES<br />
• Mitigation approach – The way that an organization intends to address a risk. An organization<br />
has the following options: accept, mitigate, or defer.<br />
− Accept – A decision made during risk analysis to take no action to address a risk and<br />
to accept the stated consequences. Risks that are accepted should have little to low<br />
impact on the organization.<br />
− Mitigate – A decision made during risk analysis to address a risk by developing and<br />
implementing controls to counter the underlying threat or to minimize the resulting<br />
impact, or both. Risks that are mitigated are those that typically have a medium to<br />
high impact on an organization.<br />
− Defer – A situation where a risk is neither accepted nor mitigated based on the organization’s<br />
desire to gather additional information and perform additional analysis.<br />
Deferred risks are monitored and re-evaluated at some point in the future. Risks that<br />
are deferred are generally not an imminent threat to the organization nor would they<br />
significantly impact the organization if realized.<br />
• Residual risk – Residual risk is the risk that remains when a mitigation approach has<br />
been developed and implemented for the range of risks that affect an information asset.<br />
Residual risk that remains must be acceptable to the organization.<br />
GENERAL NOTES<br />
In Step 8, you consider which risks you need to mitigate and how. This is done by prioritizing<br />
risks, deciding on an approach to mitigate important risk based on a number of organizational factors,<br />
and developing a mitigation strategy that considers the value of the asset and the places<br />
where it lives.<br />
The decision to accept a risk, mitigate it, or defer it is based on a number of important factors.<br />
Impact value is a primary driver, but so is probability. If a risk could seriously or significantly<br />
impact the organization but is highly unlikely to occur, you may not want to mitigate it. Unfortunately,<br />
there is no decisive path to follow for deciding which risks to mitigate. Often, this is a decision<br />
that is driven by the individuals involved in the risk assessment and their knowledge of the<br />
organization.<br />
Once the decision is made to mitigate a risk, you must develop an effective and efficient mitigation<br />
strategy. Deciding how to mitigate a risk is a complex endeavor and may require discussion<br />
with other skilled personnel in your organization. The fact that the owner of an information asset<br />
and the custodian of the asset are two different people means that both must collaborate on the<br />
best strategy for providing overall protection.<br />
58 | CMU/SEI-2007-TR-012