Lesson 4.4 Identification of existing controls
In this video, we will cover the identification of controls
and why this is an important step in your risk management process.
Controls can be identified from your statement of applicability,
existing processes and procedures,
risk treatment plans
as well as from your information security I t. Another stuff.
The purpose of the step is to avoid incurring unnecessary work or cost. For example, by implementing a duplication of controls.
Before you go into your risk
assessment and treatment processes, it is important to understand what you already have in place.
This step also allows you and your team the opportunity to review and assess the existing controls
to determine if they are actually operating as intended,
or if additional work on these controls needs to be planned and implemented.
Any plan. Controls should also be considered here.
This step should be quite easy. If you've already finished your statement of applicability,
knowing the controls you already have in place will help you to understand which risks may already have mitigating features around them.
Understanding the controls you have as well as the current maturity of these controls
is valuable in seeing if any of these controls are actually creating a vulnerability.
a user access review control that is not happening as per its defined frequency
can result in a controlled breakdown and therefore be seen as a vulnerability.
Those who know the control is not operating as it should. Ah, well positioned to potentially take advantage of this.
If you have controls that our plan to be implemented,
these are also relevant to the risk assessment and will feed through to risk treatment plan, if not already there.
At the end of this exercise, you should have some sort of document
either, as an addendum of sorts to your statement of applicability were documented somewhere else
that lists the controls that exist their current effectiveness,
any noted breakdowns as well as controls that are planned to be implemented in future,
previous audits, risk treatment plans, information security management processes,
the information Security and I T staff
can all be sources to help identify and provide input on these controls
in this lesson, we covered why existing controls need to be identified
and we also examine some of the sources that can be used toe assist in this process