Understanding Risk Management

Understanding Risk Management

The first key principle of security is that no network is completely secure information security is really about risk management. In the most basic of terms, the more important the asset is and the more it is exposed to security threats, the more resources you should put into securing it. Thus, it is imperative that you understand how to evaluate an asset s value, the threats to an asset, and the appropriate security measures. In general, without training, administrators respond to a security threat in one of three ways shown below.

  • Ignore the threat, or acknowledge it but do nothing to prevent it from occurring.

  • Address the threat in an ad hoc fashion.

  • Attempt to completely secure all assets to the utmost degree, without regard for usability or manageability.

None of these strategies takes into account what the actual risk is, and all of them will almost certainly lead to long-term failure.

Learning to Manage Risk

Managing security risks can be an incredibly daunting task, especially if you fail to do so in a well-organized and well-planned manner. Risk management often requires experience with financial accounting and budgeting as well as the input of business analysts. Building a risk assessment of an organization s security can take months and generally involves many people from many parts of the company. You can follow this simple process for assessing and managing risk:

  1. Set a scope.

    If you try to assess and manage all security risks in your organization, you are likely to be overwhelmed and certain to miss critical details. Before starting the risk assessment, set the scope of the risk assessment project. This will enable you to better estimate the time and cost required to assess the security risks in the project and to more easily document and track the results.

  2. Identify assets and determine their value.

    The first step in assessing risk is to identify assets and determine their value. When determining an asset s value, take these three factors into account:

    • The financial impact of the asset s compromise or loss

    • The nonfinancial impact of the asset s compromise or loss

    • The value of the asset to your competitors

      The financial impact of an asset s compromise or loss includes revenue and productivity lost because of downtime, costs associated with recovering services, and direct equipment losses. The nonfinancial impact of an asset s compromise or loss includes resources used shaping public perception of a security incident, such as advertising campaigns, and loss of public trust or confidence, known as goodwill in accounting. The value of the asset to your organization should be the main factor in determining how you secure the resource. If you do not adequately understand your assets and their value, you might end up securing the lunch menu in the cafeteria as stringently as you secure your trade secrets.

  3. Predict threats and vulnerabilities to assets.

    The process of predicting threats and vulnerabilities to assets is known as threat modeling. Through the exercise of modeling threats, you will likely discover threats and vulnerabilities that you did not know about or had overlooked, and you will document the more well-known threats and vulnerabilities. You can then proactively mitigate risk rather than having to react to it after a security incident.

  4. Document the security risks.

    After completing the threat model, it is essential that you document the security risks so that they can be reviewed by all relevant people and addressed systematically. When documenting the risks, you might want to rank them. You can rank risks either quantitatively or qualitatively. Quantitative rankings will use actual and estimated financial data about the assets to assess the severity of the risks. For example, you might determine that a single incident of a security risk will cost your organization $20,000 in financial losses while another will cost the organization only $5,000. Qualitative rankings use a system to assess the relative impact of the risks. For example, a common qualitative system is to rank the product of the probability of the risk occurring and the value of the asset on a 10-point scale. Neither quantitative nor qualitative risk assessment is superior to the other; rather, they complement each other. Quantitative ranking often requires acute accounting skills, while qualitative ranking often requires acute technical skills.

  5. Determine a risk management strategy.

    After completing the risk assessment, you must determine what general risk management strategy to pursue and what security measures you will implement in support of the risk management strategy. The result from this step is a risk management plan. The risk management plan should clearly state the risk, threat, impact on the organization, risk management strategy, and security measures that will be taken. As a security administrator, you will likely be responsible for or involved in implementing the security measures in the risk management plan.

  6. Monitor the assets.

    Once the actions defined in the risk management plan have been implemented, you will need to monitor the assets for realization of the security risks. As we ve alluded, realization of a security risk is called a security incident. You will need to trigger actions defined in contingency plans and start investigating the security incident as soon as possible to limit the damage to your organization.

  7. Track changes to risks.

    As time progresses, changes to your organization s hardware, software, personnel, and business processes will add and obsolete security risks. Similarly, threats to assets and vulnerabilities will evolve and increase in sophistication. You will need to track these changes and update the risk management plan and the associated security measures regularly.

Risk Management Strategies

Once you have identified an asset and the threats to it, you can begin determining what security measures to implement. The first step is to decide on the appropriate risk management strategy. The rest of this section will examine the four general categories of risk management that you can pursue:

  • Acceptance

  • Mitigation

  • Transference

  • Avoidance

Accepting Risk

By taking no proactive measures, you accept the full exposure and consequences of the security threats to an asset. Accepting risk is an extreme reaction to a threat. You should accept risk only as a last resort when no other reasonable alternatives exist, or when the costs associated with mitigating or transferring the risk are prohibitive or unreasonable. When accepting risk, it is always a good idea to create a contingency plan. A contingency plan details a set of actions that will be taken after the risk is realized and will lessen the impact of the compromise or loss of the asset.

Mitigating Risk

The most common method of securing computers and networks is to mitigate security risks. By taking proactive measures to either reduce an asset s exposure to threats or reduce the organization s dependency on the asset, you are mitigating the security risk. Generally, reducing an organization s dependency on an asset is beyond the scope of a security administrator s control; however, the former is the primary job function of a security administrator. One of the simplest examples of mitigating a security risk is installing antivirus software. By installing and maintaining antivirus software, you greatly reduce a computer s exposure to computer viruses, worms, and Trojan horses. Installing and maintaining antivirus software does not eliminate the possibility of a computer being infected with a virus because there will inevitably be new viruses that the antivirus software cannot yet protect the computer against. Thus, when a risk is mitigated, you still should create a contingency plan to follow if the risk is realized.

When deciding to mitigate risk, one of the key financial metrics to consider is how much your organization will save because of mitigating the risk, less the cost of implementing the security measure. If the result is a positive number and no other prohibitive factors exist, such as major conflicts with business operations, implementing the security measure is generally a good idea. On occasion, the cost of implementing the security measure will exceed the amount of money saved but will still be worthwhile for example, when human life is at risk.

Transferring Risk

An increasingly common and important method of addressing security risks is to transfer some of the risk to a third party. You can transfer a security risk to another party to take advantage of economies of scale, such as insurance, or to take advantage of another organization s expertise and services, such as a Web hosting service. With insurance, you are paying a relatively small fee to recuperate or lessen financial losses if the security risk should occur. This is especially important when the financial consequences of your security risk are abnormally large, such as making your organization vulnerable to class action lawsuits. When contracting a company to host your organization s Web site, you stand to gain sophisticated Web security services and a highly trained, Web-savvy staff that your organization might not have afforded otherwise. When you engage in this type of risk transference, the details of the arrangement should be clearly stated in a contract known as a service level agreement (SLA). Always have your organization s legal staff thoroughly investigate all third parties and contracts when transferring risk.

Avoiding Risk

The opposite of accepting risk is to avoid the risk entirely. To avoid risk, you must remove the source of the threat, exposure to the threat, or your organization s reliance on the asset. Generally, you avoid risk when there are little to no possibilities for mitigating or transferring the risk, or when the consequences of realizing the risk far outweigh the benefits gained from undertaking the risk. For example, a law enforcement agency might want to create a database of known informants that officers can access through the Internet. A successful compromise of the database could result in lives being lost. Thus, even though many ways to secure access to the database exist, there is zero tolerance of a security compromise. Therefore, risk must be avoided by not placing the database on the Internet, or perhaps not storing the information electronically at all.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net