RISK - EVALUATION
Evaluation and Risk Treatment
The purpose of the evaluation is to come up with risk treatment recommendations. These will be applicable and proportionate and be designed to eliminate or mitigate the risk. This might be to facilitate an endeavour (to exploit an opportunity) or to counter a revealed threat. Whatever methodology used to conduct the analysis the controls recommended will fall into the divisions of Procedural, Physical Personnel or Technical (P3T) or if required for easier understanding the Orange Book. Ref  can be used (Preventative, Corrective, Directive or Detective). Normally the controls will be taken from a list such as ISO/IEC 27002 and put into a business context. IL7 will continue to seek guidance from the NCSC documentation, new and legacy, and where applicable in the context of the customer, apply guidance from the Good Practice Guides.
IL7 consultants will keep up to date on new cyber threats and new solutions available to them where they can find technologies. Should technical controls, Security Enforcing Functionality (SEF) such as Firewalls or IPS be recommended, truly independent advice will be put forward with estimates of cost and through life value of investment. IL7 regularly review Common Criteria products. While no longer confined to EAL certificated products and able to buy COTS, IL7 commonly review Gartner assessments (Magic quadrant etc.) and NSS Labs to advice customers on capability. In competitive tender exercises, technical specifications can be mapped onto operational requirements for SEF, taking care to include those features and capacities that mitigate the analysed and evaluated risks and not unnecessary extras. IL7 takes account of practical views such as the NCSC advice on SIEM not being a panacea and should protective monitoring and correlation be required it is just as important to have trained and qualified staff too.