Week
9
October
29, 2015
Risk Management: Assessing and Controlling Risk
This week we discussed about risk
management and risk control strategies.
Lets talk about some security mistakes we
do in our everyday work.
·
The
not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most
elaborate security measures.
·
Leaving
unattended computers on
·
Opening Email
form strangers “I Love You Virus”
·
Poor password
selection. A good example is: "I pledge allegiance to the flag"
becomes "ipa2tf."
·
Laptops have
legs. Physical security
·
Loose lips sink
ships. People talk about passwords
·
Plug and Play
(technology that enables hardware devices to be installed and configured
without the protection)
·
Unreported
security violations
·
Behind the times
in terms of patches
·
Not watching for
dangers within your own organization.
So, to keep up with the competition, organizations
must design and create a safe environment in which business processes and procedures
can function. This environment must maintain confidentiality and privacy and
assure the integrity and availability of organizational data. These objectives
are met via the application of the principles of risk management.
Once ranked
vulnerability risk worksheet complete, must choose one of four strategies to
control each risk:
1. Apply
safeguards (avoidance)
Avoidance
is accomplished through:
·
Application of
policy
·
Application of
training and education
·
Countering
threats
·
Implementation
of technical security controls and safeguards
2. Transfer
the risk (transference)
This may be accomplished by rethinking how services
are offered, revising deployment models, outsourcing to other organizations,
purchasing insurance, or by implementing service contracts with providers.
3. Reduce
impact (mitigation)
Mitigation is the control approach that attempts to
reduce, by means of planning and preparation, the damage caused by the
exploitation of vulnerability.
This approach includes three types of plans:
i.
The disaster
recovery plan (DRP),
ii.
Incident
response plan (IRP), and
iii.
Business
continuity plan (BCP).
Mitigation depends upon the ability to detect and
respond to an attack as quickly as possible.
4. Understand
consequences and accept risk (acceptance)
This control, or lack of control, assumes that it may
be a prudent business decision to examine the alternatives and conclude that
the cost of protecting an asset does not justify the security expenditure.
The
only valid use of the acceptance strategy occurs when the organization has:
§
Determined the
level of risk to the information asset
§
Assessed the
probability of attack and the likelihood of a successful exploitation of a
vulnerability
§
Approximated the
ARO of the exploit
§
Estimated the
potential loss from attacks
§
Performed a
thorough cost benefit analysis
§
Evaluated
controls using each appropriate type of feasibility
§
Decided that the
particular asset did not justify the cost of protection
Some rules
of thumb on strategy selection are:
§ When a vulnerability exists: Implement security
controls to reduce the likelihood of a vulnerability being exercised.
§ When a vulnerability can be exploited: Apply layered
controls to minimize the risk or prevent occurrence.
§ When the attacker’s potential gain is greater than
the costs of attack: Apply protections to increase the attacker’s cost, or
reduce the attacker’s gain, using technical or managerial controls.
§ When potential loss is substantial: Apply design
controls to limit the extent of the attack, thereby reducing the potential for
loss.
References:
Michael E. Whitman and Herbert J.
Mattord, “ Management of Information
Security”, Published by Cengage Learning,
Fourth Edition
No comments:
Post a Comment