Mitigation actions
You can define mitigation actions to manage risks based on the needs of the user.
In IBM® Security Verify Governance, it is possible to define mitigation actions according to the Risk management needs related to a user.
The first step is to deploy a mitigation and join it to a specific risk (see ARC module, ).
Through two modules of IBM Security Verify Governance, ARC and AGC, you can join a mitigation to a user by using the Mitigations tab that is shown in the following illustration:
In the upper part of the GUI, the risk joined to a user is described.
In the lower part, mitigations that are already assigned to the user are listed.
In this example, the mitigation CS15 - ESE is already assigned to the user but it is not joined to any of the risks that are shown in the GUI. The user is in a situation that is known as over mitigation. To remove a useless action of mitigation is not mandatory, but can be considered as a best practice.
A generic risk is characterized by any set of risk activities. In this example, a risk is defined by only two activities.
After the risk selection, from the Actions menu, you can add or remove a mitigation.
The mitigation that was added to mitigate the risk SOD_-36325961, is shown in the risk tree with a green umbrella icon