Mitigation actions

You can define mitigation actions to manage risks based on the needs of the user.

In IBM® Security Verify Governance, it is possible to define mitigation actions according to the Risk management needs related to a user.

The first step is to deploy a mitigation and join it to a specific risk (see ARC module, Manage > Mitigation Controls > Actions menu > Add).

Through two modules of IBM Security Verify Governance, ARC and AGC, you can join a mitigation to a user by using the Mitigations tab that is shown in the following illustration:

Figure 1. Mitigation GUI
Mitigation GUI

In the upper part of the GUI, the risk joined to a user is described.

In the lower part, mitigations that are already assigned to the user are listed.

In this example, the mitigation CS15 - ESE is already assigned to the user but it is not joined to any of the risks that are shown in the GUI. The user is in a situation that is known as over mitigation. To remove a useless action of mitigation is not mandatory, but can be considered as a best practice.

A generic risk is characterized by any set of risk activities. In this example, a risk is defined by only two activities.

After the risk selection, from the Actions menu, you can add or remove a mitigation.

Figure 2. Mitigation GUI: add a mitigation to a selected risk
Mitigation GUI: add a mitigation to a selected risk

The mitigation that was added to mitigate the risk SOD_-36325961, is shown in the risk tree with a green umbrella icon

Figure 3. Mitigation GUI: added risk
Mitigation GUI: added risk