Responding to and mitigating security risks
When delivering a service, your approach to responding to security risks is based on your risk appetite. You need to decide whether to accept them or propose appropriate mitigations.
The risk register produced when performing a security risk assessment outlines the risks and their rating prior to implementing any controls. You could reduce the likelihood or the impact of the risks by selecting appropriate controls from your security controls set.
Deciding how to implement these measures is a fundamental part of end-to-end risk management which will allow you to:
- enhance the overall resilience of your service against evolving risks
- reduce risks to protect sensitive information and maintain business operations
- produce a robust justification for security investment by showing the cost of implementing security controls against the cost of recovery from potential security incidents
You should start responding to security risks as soon as they appear within the risk register, and whenever service requirements change that may have an impact on risk management. This is an iterative activity that aims to continually reduce security risks to an acceptable level and allow you to prioritise ongoing investment into security capabilities and controls.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach, design usable security controls, build in detect and respond security, design flexible architectures, minimise the attack surface and defend in depth.
Who is involved
This activity should be carried out by your delivery team with direction from security professionals with experience in risk management and the technical architects designing the service. They should use their experience of cyber security and understanding of the service to determine the appropriate mitigations.
Risk response recommendations should be considered by your Senior Responsible Owner (SRO) and service owner who can provide input and approval for the mitigation plan based on broader project context.
How to respond to and mitigate security risks
Responding to risks involves identifying, evaluating and deciding on appropriate courses of action.
Step 1. Establish the context
It’s important to understand the influencing factors that will impact the risk management decisions you make. These are likely to include the outputs of Secure by Design activities you should have already completed, including:
- working out the project’s security risk appetite
- understanding business objectives and user needs
- understanding cyber security obligations
- performing a security risk assessment
Your organisation may have provided you with guidance on risk management when putting together your risk register. This will have given you the necessary foundations for how to assess, respond and monitor risks including details on impact categories, scoring scales, and governance processes.
Aligning your approach with the one recommended by your organisation will ensure that cyber risks are managed consistently. If your organisation does not have risk management guidance available, this should be raised with your Chief Digital Information Officer (CDIO) and Chief Information Security Officer (CISO) as a fundamental organisational risk.
Step 2: Decide on appropriate risk responses
Those responsible for managing risk within your project should collaborate to add a response to each risk identified within your risk register. Document both the intended response, as well as the rationale that led to that decision so those reviewing it can understand the thought process that led to each action.
Decide on a suitable framework for categorising your responses, for example; treat, tolerate, terminate or transfer.
Treat or reduce the risk
Put in place security measures that reduce the likelihood of the threat and/or severity of the impact, mitigating the risk to an acceptable level. This is suitable where risks are higher than the agreed project risk appetite.
Tolerate or accept the risk
Risks will always exist, and sometimes they need to be accepted as part of running a digital service. If the likelihood and impact are low, then this may be the most sensible option available, especially if the mitigation costs are disproportionately high. This decision should be continually reviewed as the threat landscape or level of service vulnerability changes.
Terminate or avoid the risk
In instances where there is a high risk and the mitigation options are unsuitable, the only way to proceed may be to adapt the service (either permanently or temporarily) so the threat is no longer relevant. This may result in specific features not being available or a fundamental change in the way the service works, so this decision should be taken in close collaboration with delivery teams.
It is also possible to avoid risk by limiting the exposure of your service. For example, if you’re using data that has originated in a separate system, you may choose to hold and process data there rather than transferring sensitive data into your service.
Transfer the risk
Liability indemnity from suppliers or other contractual mechanisms can remove your responsibility for risk, however this does not reduce the risk and is therefore often an unsuitable solution.
It is extremely uncommon within government services for risk to be covered with insurance. Discuss this option with your organisation’s risk management team and HM Treasury to see if an exemption is suitable before considering it as an appropriate response.
Step 3: Identify and compare mitigation options
Using the security controls set for your service, map the appropriate security controls to the risks in your risk register that you have decided to treat or reduce.
These security control solutions could be technical (such as multi-factor-authentication) or non-technical (such as cyber security training) and should be proportionate to the risk that is being mitigated.
When deciding on the most appropriate measure to apply to each risk, consider factors including:
- how effective the proposed control will be against the identified threats
- how long the control will be effective for
- what the associated costs are
- what the implementation timelines are
- what level of effort it will take to implement and maintain
Where there are multiple response options, create a comparison table that assesses the identified risk against the available treatments to allow risk owners and budget holders to make informed decisions based on pros and cons.
Step 4: Create a risk treatment plan
Once the appropriate security controls for each risk have been identified and shortlisted, work with decision makers within your project and organisation to determine the preferred set of actions.
This information should be collated into a risk treatment plan that is shared with your delivery team who are responsible for the design and build of security within the service. It should also be made available to those responsible for managing delivery risks such as your SRO, service owner and risk management team.
Deciding to implement these controls will not automatically mean you have a secure service. Regardless of the mitigations in your plan, there will always be a degree of residual risk, and a reliance on controls being correctly implemented and maintained.
Your risk treatment plan will be effective if:
- it is mapped to the vulnerabilities and threats included in your risk register
- it includes measures that reduces all risks to an acceptable level
- the chosen security controls have been assessed against alternative treatment options to evaluate their appropriateness
- it is written in plain English so implementation teams can put the plan into action
You should assess the effectiveness of security controls to ensure that the decisions you have made are suitable and applied as intended.
- National Cyber Security Centre (NCSC): Risk management guidance
- National Institute of Standards and Technology (NIST): Managing Information Security Risk
- NIST SP 800-160 Vol. 1 Rev. 1: Engineering Trustworthy Secure Systems
- Charity Commission (GOV.UK): The risk assessment cycle
- ISO/IEC 27005:2022: Information security, cybersecurity and privacy protection