Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation
Management should develop and
implement appropriate controls to mitigate identified risks.
Once management has identified and measured the risks, it should
develop and implement an appropriate plan to mitigate those risks.
This plan should include an understanding of the extent and quality
of the current control environment. When conducting an evaluation
of the strength of controls, or the ability to mitigate risk, the
institution should consider the system of controls rather than any
Management should also obtain, analyze, and respond to
information from various sources (e.g., Financial Services
Information Sharing and Analysis Center [FS-ISAC]) on cyber threats
and vulnerabilities that may affect the institution. Management
should incorporate available information on cyber events into the
institution's information security program. Additionally,
management should develop, maintain, and update a repository of
cybersecurity threat and vulnerability information that may be used
in conducting risk assessments and provide updates to senior
management and the board on cyber risk trends.