Determining effective implementation of mitigation strategies
Update: 2023-05-17
Description
Upon concluding assessment activities, assessors will need to determine whether mitigation strategies were implemented effectively or not. This determination requires a combination of judgement and consideration of the following factors:
- adoption of a risk-based approach to the implementation of mitigation strategies
- ability to test the mitigation strategies across an accurate representative sample of workstations (including laptops), servers and network devices
- level of assurance gained from assessment activities and any evidence provided (noting the quality of evidence)
- any exceptions, including associated compensating controls, and whether they have been accepted by an appropriate authority as part of a formal exception process.
Assessors should use the ACSC’s standardised assessment outcomes which are:
- Effective: The organisation is effectively meeting the control’s objective.
- Ineffective: The organisation is not adequately meeting the control’s objective.
- Alternate control: The organisation is effectively meeting the control’s objective through an alternate control.
- Not assessed: The control has not yet been assessed.
- Not applicable: The control does not apply to the system or environment.
- No visibility: The assessor was unable to obtain adequate visibility of a control’s implementation.
Beyond Cyber 101 mentorship into cybersecurity and beyond.
Comments
Top Podcasts
The Best New Comedy Podcast Right Now – June 2024The Best News Podcast Right Now – June 2024The Best New Business Podcast Right Now – June 2024The Best New Sports Podcast Right Now – June 2024The Best New True Crime Podcast Right Now – June 2024The Best New Joe Rogan Experience Podcast Right Now – June 20The Best New Dan Bongino Show Podcast Right Now – June 20The Best New Mark Levin Podcast – June 2024
In Channel