(responsive) such as incident management.




























            Risk Versus Control

            The purpose of control is to address a specific threat. However,
            a control is also a limitation because are indirect costs for the
            purchase or installation of the protection mechanism. Therefore
            the selection of control requires diligence and careful
            consideration of the justification for the protection mechanism;
            The effectiveness of the protection mechanism, the impact on
            business, acceptance by the users, and the ability of the
            protection mechanism to support compliance or audit needs.

            Therefore all controls should be justified by the risk that
            requires the implementation of the protection mechanism. The
            protection mechanism should also be traceable back to the threat