Identification of Existing Controls

00:01

Lesson 4.4 Identification of existing controls

00:10

In this video, we will cover the identification of controls

00:14

and why this is an important step in your risk management process.

00:21

Controls can be identified from your statement of applicability,

00:25

existing processes and procedures,

00:29

previous orders,

00:31

risk treatment plans

00:33

as well as from your information security I t. Another stuff.

00:40

The purpose of the step is to avoid incurring unnecessary work or cost. For example, by implementing a duplication of controls.

00:50

Before you go into your risk

00:53

assessment and treatment processes, it is important to understand what you already have in place.

01:00

This step also allows you and your team the opportunity to review and assess the existing controls

01:07

to determine if they are actually operating as intended,

01:11

or if additional work on these controls needs to be planned and implemented.

01:15

Any plan. Controls should also be considered here.

01:21

This step should be quite easy. If you've already finished your statement of applicability,

01:26

knowing the controls you already have in place will help you to understand which risks may already have mitigating features around them.

01:34

Understanding the controls you have as well as the current maturity of these controls

01:40

is valuable in seeing if any of these controls are actually creating a vulnerability.

01:46

For example,

01:48

a user access review control that is not happening as per its defined frequency

01:53

can result in a controlled breakdown and therefore be seen as a vulnerability.

02:00

Those who know the control is not operating as it should. Ah, well positioned to potentially take advantage of this.

02:08

If you have controls that our plan to be implemented,

02:13

these are also relevant to the risk assessment and will feed through to risk treatment plan, if not already there.

02:20

At the end of this exercise, you should have some sort of document

02:23

either, as an addendum of sorts to your statement of applicability were documented somewhere else

02:30

that lists the controls that exist their current effectiveness,

02:35

any noted breakdowns as well as controls that are planned to be implemented in future,

02:40

as mentioned

02:43

previous audits, risk treatment plans, information security management processes,

02:49

the information Security and I T staff

02:52

can all be sources to help identify and provide input on these controls

03:00

to summarize

03:01

in this lesson, we covered why existing controls need to be identified