Mitigations

Overview

The Mitigations component is a critical part of the Risk Management module, designed to help organizations plan, implement, and track specific actions to reduce identified security risks. This component provides a structured approach to risk treatment, enabling you to document, assign, and monitor mitigation activities.

Effective risk mitigation is essential for reducing your organization's security exposure and demonstrating due diligence in addressing identified risks. The Mitigations component integrates with the Risks component and other elements of the Risk & Compliance Suite to provide a comprehensive approach to risk management.

Key Features

Mitigation Planning

• Task Definition - Create detailed plans for addressing identified risks

• Resource Allocation - Assign personnel and resources to mitigation activities

• Timeline Management - Set realistic deadlines for implementation

• Priority Setting - Determine the relative importance of different mitigation tasks

• Mitigation Strategy - Document the approach for reducing risk exposure

Mitigation Assignment

• Owner Designation - Assign responsibility for implementing mitigation tasks

• Stakeholder Involvement - Identify all parties affected by or contributing to the mitigation

• Notification System - Alert relevant personnel about assignments and deadlines

• Accountability Tracking - Monitor ownership and responsibility for each task

• Escalation Procedures - Address delays or implementation challenges

Mitigation Monitoring

• Status Tracking - Monitor the current state of each mitigation task

• Progress Updates - Record incremental steps toward implementation

• Due Date Management - Track deadlines and identify overdue tasks

• Dependency Management - Handle relationships between related mitigation activities

• Implementation Evidence - Document proof of completed activities

Mitigation Effectiveness

• Effectiveness Assessment - Evaluate whether mitigations have reduced the risk

• Testing Procedures - Define and execute tests to verify implementation

• Evidence Review - Examine documentation of completed mitigations

• Residual Risk Calculation - Determine remaining risk after mitigation

• Continuous Improvement - Refine mitigation strategies based on outcomes

Getting Started

Accessing the Mitigations Component

1. Log in to your AskInfosec account

2. Navigate to the main dashboard

3. Select "Risk Management" from the main navigation menu

4. Click on "Mitigations" in the submenu

5. You will be directed to the Mitigations dashboard

Mitigations Dashboard

The Mitigations dashboard provides an overview of your organization's risk mitigation activities, including:

• Mitigation Summary - Total mitigation tasks by status and priority

• Recent Mitigations - Latest mitigation tasks created or updated

• Overdue Mitigations - Tasks past their implementation deadline

• Mitigation by Owner - Tasks grouped by responsible individuals

• Mitigation Trends - Patterns in task creation and completion

Managing Mitigations

Creating a New Mitigation Task

To define steps for addressing an identified risk:

1. From the Mitigations dashboard, click the "Add Mitigation Task" button

2. Enter basic task information:

   • Task Name

   • Description

   • Priority (High, Medium, Low)

   • Related Risk (if applicable)

   • Assigned To

   • Due Date

3. Add detailed information:

   • Implementation steps

   • Success criteria

   • Required resources

4. Click "Create" to add the mitigation task

5. You will be directed to the task details page for further documentation

Mitigation Task Details

The mitigation task details page contains comprehensive information about a specific mitigation activity:

1. Basic Information - Name, description, priority, and due date

2. Assignment - Individuals responsible for implementation

3. Status - Current state of the implementation process

4. Related Items - Associated risks, controls, and other elements

5. Attachments - Supporting documentation and evidence

6. Comments - Discussion and updates related to the task

Creating a Mitigation from a Risk

To create a mitigation task directly from a risk:

1. Navigate to the risk details page

2. In the Risk Treatment section, ensure "Mitigate" is selected as the strategy

3. Click "Add Mitigation Task"

4. Enter the mitigation task details as described above

5. The task will be automatically linked to the risk

6. Save the mitigation task

Mitigation Task Assignment

To designate responsibility for implementing a mitigation task:

1. Navigate to the mitigation task details page

2. In the Assignment section, select:

   • Primary owner (responsible for overall implementation)

   • Additional stakeholders (contributing to implementation)

3. Set or update the target completion date

4. Save the assignment information

5. The system will notify assigned individuals

Mitigation Task Status Management

Mitigation tasks typically follow this lifecycle:

1. Open - Initially created, not yet started

2. In Progress - Implementation activities have begun

3. Completed - Implementation finished, pending verification

4. Verified - Confirmed as successfully implemented

5. Deferred - Temporarily postponed for valid reasons

To update a mitigation task's status:

1. Navigate to the mitigation task details page

2. Click "Update Status"

3. Select the new status

4. Provide comments explaining the status change

5. Upload supporting documentation if applicable

6. Save the status update

Implementing Mitigations

Planning Implementation

To develop a detailed implementation plan:

1. Navigate to the mitigation task details page

2. In the Implementation Plan section, document:

   • Specific steps required

   • Timeline for each step

   • Required resources

   • Potential challenges

   • Success criteria

3. Save the implementation plan

4. Update as needed during the implementation process

Tracking Implementation Progress

To monitor implementation activities:

1. Navigate to the mitigation task details page

2. Add progress updates in the Comments section

3. Update the completion percentage

4. Document completed steps

5. Identify any challenges or delays

6. Adjust the plan if necessary

Documenting Implementation Evidence

To record proof of implementation:

1. Navigate to the mitigation task details page

2. Select the "Attachments" tab

3. Click "Add Attachment"

4. Choose the attachment type:

   • Document upload

   • Screenshot

   • Link to existing document

   • External reference

5. Provide a description explaining how the attachment demonstrates implementation

6. Upload or link the attachment

7. Save the attachment record

Verifying Mitigations

Verification Process

To confirm that a mitigation task has been properly implemented:

1. Navigate to the mitigation task details page

2. Review the implementation evidence

3. Conduct testing to verify effectiveness if necessary

4. Document the verification process:

   • Tests performed

   • Results observed

   • Conclusion regarding effectiveness

5. If successfully implemented, update the status to "Verified"

6. If not fully implemented, provide feedback and return to "In Progress"

Effectiveness Assessment

To evaluate whether a mitigation has reduced the associated risk:

1. Navigate to the mitigation task details page

2. In the Effectiveness Assessment section, document:

   • Whether the mitigation has been fully implemented

   • Whether it has reduced the risk as expected

   • Any remaining concerns or residual issues

   • Recommendations for further action if needed

3. Save the assessment information

4. Update the residual risk assessment on the related risk

Mitigation Integration

Linking Mitigations to Risks

Mitigation tasks are typically created in response to identified risks:

1. Navigate to the mitigation task details page

2. Select the "Risks" tab

3. Click "Link Risks"

4. Search for and select relevant risks

5. Save the associations

6. The mitigation task will appear in the related risks

Connecting Mitigations to Controls

To associate mitigation tasks with security controls:

1. Navigate to the mitigation task details page

2. Select the "Controls" tab

3. Click "Link Controls"

4. Search for and select relevant controls

5. Save the associations

6. The task will be visible in the control details

Mitigation Reporting

Standard Reports

The system provides several standard mitigation reports:

1. Mitigation Register - Complete inventory of all mitigation tasks

2. Mitigation Status Report - Overview of implementation progress

3. Overdue Mitigations - Tasks past their target completion date

4. Mitigations by Owner - Tasks grouped by responsible individuals

5. Mitigation Effectiveness - Assessment of mitigation outcomes and impact

Custom Reports

To create a custom mitigation report:

1. Navigate to the Reports section

2. Click "Create Custom Report"

3. Select report type (Mitigations)

4. Choose filtering and grouping options

5. Select display columns and sorting

6. Generate the report

7. Export to PDF, Excel, or CSV format

Best Practices

Mitigation Planning

• Be specific - Clearly define what needs to be done

• Address root causes - Focus on underlying issues, not just symptoms

• Set realistic timelines - Allow adequate time for implementation

• Consider dependencies - Identify relationships between mitigations

• Define success criteria - Establish how effectiveness will be measured

Mitigation Assignment

• Choose appropriate owners - Assign to individuals with relevant expertise

• Ensure authority - Verify that owners have the power to implement changes

• Balance workload - Avoid overloading specific individuals

• Clarify expectations - Ensure owners understand what's required

• Provide resources - Ensure necessary tools and support are available

Mitigation Implementation

• Follow the plan - Adhere to the defined implementation steps

• Document progress - Record all activities and milestones

• Address obstacles - Promptly resolve implementation challenges

• Communicate regularly - Keep stakeholders informed of status

• Adapt as needed - Adjust plans based on new information or challenges

Mitigation Verification

• Be thorough - Conduct comprehensive testing of implemented mitigations

• Remain objective - Base verification on evidence, not assumptions

• Document results - Record all verification activities and outcomes

• Consider long-term effectiveness - Evaluate sustainability of solutions

• Learn from experience - Use insights to improve future mitigations

Troubleshooting

Common Issues

• Vague mitigation plans - Ensure specific, measurable implementation steps

• Unrealistic deadlines - Adjust timelines to reflect actual requirements

• Inadequate resources - Secure necessary personnel and tools

• Implementation delays - Address obstacles promptly and adjust plans

• Ineffective mitigations - Revisit mitigation strategy if risk isn't reduced

Getting Support

If you encounter issues with the Mitigations component:

1. Check the in-app help documentation

2. Contact your organization's system administrator

3. Submit a support ticket through the AskInfosec support portal

Conclusion

Effective risk mitigation is essential for reducing your organization's security exposure and demonstrating due diligence in addressing identified risks. The Mitigations component provides the tools and structure needed to plan, implement, track, and verify risk reduction activities in a consistent, comprehensive manner.

By following the processes outlined in this guide, you can establish a robust mitigation program that helps your organization address security risks, implement improvements, and strengthen your overall security posture.