Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits




A Vulnerability is a weakness in or lack of controls. For example, an office building made from brick may be strong enough to withstand up to a Category 4 hurricane. If Category 4 hurricanes are uncommon where the office is located, the use of brick construction would be an adequate control for hurricanes (assuming the windows and other parts of the building also held up). However, if the same building were located in an earthquake zone where magnitude 5 earthquakes were not uncommon and it is likely the building would collapse in a magnitude 5 quake due to the brick construction, you would have a vulnerability or weak control. If employees share passwords, if the company has inadequate procedures to detect attempts at identity theft, or if business continuity plans are not tested periodically, you have a vulnerability.



In addressing a Vulnerability, you likely have at best four choices:

  1. Acceptance You can accept the existing controls as adequate to address the business' tolerance for risk.
  2. Mitigation You can take additional steps to mitigate the risks by strengthening or adding controls
  3. Assignment You can assign or transfer the risk to another entity, such as taking out insurance.
  4. Avoidance If the level of risk is still not acceptable, even after considering mitigation and assignment, the only recourse may be to abandon the process, product or technology.

The next page deals with the types of Controls that can be used to mitigate the risk in an organization.