Existing controls

There will already be controls in place to reduce the likelihood or impact, or both, of an information system’s risks. Controls will be present regardless of whether the risk assessment is for an information system that is:

• new
• part of its development life cycle.

Stakeholders for existing controls

For this part of the risk assessment process for an information system, the stakeholders needed in the workshop are the:

• business owner
• subject matter experts who can identify and describe the controls that are currently in place.

Assessing the existing controls

If there is evidence about the effectiveness of the existing controls, make sure these stakeholders use it in assessing the controls. Otherwise, the Australian Cyber Security Centre has a list of controls, called ‘strategies’, that your team can use for assessing each control’s effectiveness.

Strategies to mitigate cyber security incidents — Australian Cyber Security Centre

Controls that reduce the likelihood of risks

Deterrent controls

These discourage potential attackers. Examples are:

• establishing a policy for information security
• a warning message on login screens
• Kensington locks
• security cameras.

Preventive controls

These proactively limit opportunities for exploiting information systems. Examples are:

• a process for managing user accounts
• restricting server-room access to authorised personnel
• configuring appropriate rules on a firewall
• implementing an access control list on a file share.

Controls that reduce the impact of risks

Detective controls

These are measures in place that identify when an incident has occurred. Examples are:

• reviews of security logs for servers or firewalls
• Intrusion Detection System (IDS) alerts.

Corrective controls

These fix the components of an information system after an incident has occurred. Examples are:

• data backups
• structured query language (SQL) transaction log shipping
• plans for business continuity and disaster recovery.

Problems with existing controls

During the risk assessment, it’s possible that you and the stakeholders identify current controls as being either:

• ineffective
• not sufficient
• no longer relevant.

Troubleshooting existing controls

If your team reaches one of those conclusions for an existing control, assess whether it should be either:

• removed and replaced by another, more suitable control
• stay in place and strengthened by adding 1 or more complementary controls.

These notes will help the business owner when evaluating the risks to the information system.

Evaluate the risks to an information system

Find the final risk ratings

For now, the business owner and stakeholders need to find the final risk ratings, taking into account the existing controls as they are.

Find the final risk ratings