Risk mitigation can only be done by first identifying the risk. And risk identification can only be done by characterization of the assets, discovery of vulnerabilities of those assets and determination of threats and/or possible harm to that system.
So risk mitigation is based on the results of risk assessments.
Risk assessment is a 9 step process.
1) System characterization – a system is an organization asset. So the first step is to discover all the features of that system and understand why it is important.
2) Threat Identification – risk is determined by the likelihood of a threat affecting the weakness of an asset. To limit the risk (risk mitigation), a security practitioner must determine the possible threat, find the weakness and then come up with a way to protect that system.
3) Vulnerability Identification – The security practitioner (information system security officer, information system security analyst, system security engineer etc) must find the weakness of a system.
4) Security Control Analysis – The security control protecting the vulnerability is the actual risk mitigation. Analysis is determining what is needed, when and how much it will cost.
5) Likelihood determination – The importance of risk mitigation is directly proportionate to the likelihood of the threat impacting the organization and its assets vulnerabiltiy.
6) Impact Analysis – The bottom line of risk is the impact that will occur if harm should come to an asset. If the asset ceases to function, what happens to the organization? That question should drive how and why risk is mitigated.
7) Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination. You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down.
8) Control Recommendation – This is where the actual RISK MITIGATION comes in. All data is gathered from the risk assessment and risk has been identified and evaluated. Risk is mitigated by applying to correct security controls.
9) Results Documentation – The mitigation of risk must be documented for future reference. Sometimes it can only be mitigated later and documented in a Plan of Action and Milestone.
Who does Mitigates the Risk:
First of all, risk cannot always be mitigated. In this cases it is documented in something called a Plan of Action and Milestone (POA&M). And sometimes risk is simple accepted because there is just nothing that can be done. The mitigation of risk is the responsibility of the system owner. The system owner will sometime have a right hand adviser on matters of security, a Chief Security Officer who is not afraid to say NO and will always give the system owner (CIO) the facts no matter how gruesome. The CSO (or equivalent) delegates risk mitigation (implementation of security controls) to security practitioners (DoD 8140 compliant professionals) who hopefully know what they are doing.