II.C Risk Mitigation
Management should develop and implement appropriate controls to mitigate identified risks.
Once management has identified and measured the risks, it should develop and implement an appropriate plan to mitigate those risks. This plan should include an understanding of the extent and quality of the current control environment. When conducting an evaluation of the strength of controls, or the ability to mitigate risk, the institution should consider the system of controls rather than any discrete control.
Management should also obtain, analyze, and respond to information from various sources (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC]) on cyber threats and vulnerabilities that may affect the institution. Management should incorporate available information on cyber events into the institution's information security program. Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.
II.B Risk Measurement
II.C.1 Policies, Standards, and Procedures