When a system is not approved because the level of
risk is considered too high, countermeasures are evaluated to determine
whether the risk can be reduced to an acceptable level.
Specific countermeasures are selected and implemented
in the environment to counter the threats, and the risk assessment is
performed again.
|