Four Ways in Which You Can Respond to Risk
So is finding and identifying risk enough? No, not really. After you have found and identified risk, your job is not yet over. You will have to determine how you are going to handle the potential risk. There are four ways in which you can respond to risk: avoidance, transference, mitigation, and acceptance:
- Avoiding a risk can be accomplished by taking steps to change your plans, go with different technologies, or hire employees that are skilled in dealing with the problems you are facing. Consider the example of your daughter's wedding. She has made up her mind that it should be this summer on the beach in the Bahamas. You have explained to her that there is always the chance that a hurricane could occur on that same week as the wedding. To avoid the risk, you have suggested that it be moved to Hawaii.
- Transferring a risk is another valid approach. To transfer the risk, you will move ownership to a third party. Insurance is one way to transfer risk. They assume the risk, but we are saddled with the cost of the insurance. In our example of the wedding, we could transfer the risk by buying hurricane insurance.
- Mitigating a risk is the third possible approach. Mitigation is an active attempt to reduce the effect of the risk even before it happens. For a software project this might mean spending more time in development, adding security features, or incurring the cost of a longer, more thorough, beta test. For the future bride, a potential mitigation strategy might consist of securing tents on the beach to protect the attendees from sun or rain and possibly moving the reception inside the hotel to a more sheltered area.
- Accepting the risk is the final option and only when no other options are available or the potential loss is small when compared to the project's benefits. If this is the chosen path, it is important to prepare contingency plans to make sure you will be able to deal with the risk if it occurs. To use the wedding analogy one final time, we can see that if the bride has her heart set on this wedding on the beach, it may be best just to go along. Although what she doesn't know is that the hotel has agreed to allow them to hold the event indoors should the weather turn bad. Knowing that there's a contingency plan eases the worries.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 138
Pages: 138
Authors: Michael Gregg, David Kim
