Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.4 Control Implementation
Management should implement controls that align security with
the nature of the institution's operations and strategic direction.
Based on the institution's risk assessment, the controls should
include, but may not be limited to, patch management, asset and
configuration management, vulnerability scanning and penetration
testing, end-point security, resilience controls, logging and
monitoring, and secure software development (including third-party
software development). In implementing controls, management should
ensure it has the necessary resources, personnel training, and
testing to maximize the effectiveness of the controls.
The level at which controls are implemented should depend on the
institution's size, complexity, and risk profile, but all
institutions should implement appropriate controls. In light of
increasing cybersecurity risks, management should implement
risk-based controls for managing cybersecurity threats and
vulnerabilities, such as interconnectivity risk. Management should
review and update the security controls as necessary depending on
changes to the internal and external operating environment,
technologies, business processes, and other factors.
The institution can reference one or more recognized technology
frameworks and industry standards. Several organizations have
published control listings in addition to implementation guidance,
including the following: