Week 9 

Risk Management: Assessing and Controlling Risk

This week we discussed about risk management and risk control strategies.

Let's talk about some security mistakes we do in our everyday work.

·               The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures.

·               Leaving unattended computers on

·               Opening Email from strangers “I Love You Virus”

·               Poor password selection. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."

·               Laptops have legs. Physical security

·               Loose lips sink ships. People talk about passwords

·               Plug and Play (technology that enables hardware devices to be installed and configured without the protection)

·               Unreported security violations

·               Behind the times in terms of patches

·               Not watching for dangers within your own organization.

So, to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:

1.  Apply safeguards (avoidance)

Avoidance is accomplished through:

·               Application of policy

·               Application of training and education

·               Countering threats

·               Implementation of technical security controls and safeguards

2.  Transfer the risk (transference)

This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.

Some rules of thumb on strategy selection are:

§  When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.

§  When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent the occurrence.

§  When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.

§  When potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition