Thursday, July 24, 2014

Risk Mitigation

    The heart of information security is the concept of RISK. Every organization encounters different types of risks.The range of risks run from the smallest impact that can be easily managed, to other risks that threaten the very existence of the organization. The importance of safeguarding information security risks from attackers, who seen these avenues as opportunity to cripple businesses,  has risen from obscurity to the forefront of most organizations business plans.

     The multifaceted approach to information security is essential for a solid foundation of risk mitigation. It encompasses 3 basic strategies:

     - Control risks through several different management techniques
   
     - Develop a security policy

     - Promote awareness and training with employees

Controlling Risks

There are several different terms used in context of information security and controlling risk:

     * Threat- A type of action that has potential to cause harm

     * Threat agent- A person or element that has the power to carry out the threat

     * Vulnerability- A flaw or weakness that allows a threat to bypass security

     * Risk- The likelihood the threat agent will exploit the vulnerability

As with the different terms, there are also different strategies for controlling risk. Three of the most common are privilege management, change management, and incident management.

     Privilege management is a persons access level over an object such as a users ability to open a payroll file.. It cover the procedures for managing object authorizations. One element of privilege management is periodic review of subjects privilege over an object. This is known as privilege auditing. Audits server to verify that the security protections implemented by an organization are being followed.The correct privileges should follow the principal of least privilege or minimal amount of privileges need by the employee to perform their job. Most organizations have a written policy that mandates regular reviews.

     Change management refers to the method making modifications and keeping track  of those modifications to network or system configurations. Prevents making changes in a haphazardly way
which could impact future changes and possibly exposing a vulnerability a attacker could exploit.
Two type of changes regarding security need proper documentation, architecture and classification. Architecture deals with devices such as routers, switches or other devices being introduced into the network. A detailed list of their attributes needs complied also. The second type of change is classification, which primarily refers to files or documents. Classification levels are typically standard documents and confidential documents. Uncoordinated changes can result in security vulnerabilities. Many organizations create a change management team to oversee the changes.

     Incident  management refers to when an unauthorized incident occurs, such as an employee copying sensitive material, a response is required. The incident response is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the organization which the incident is dealt with, to restore normal functions

List the types of security policies

   Security policies are a set of requirements or rules which are required to set a path to a specific objective. Security policies attempt carefully balance two key elements, balance and trust. An effective security policy should minimize risk while not imposing undue access restrictions on those who need access to resources. A security policy attempts to provide the right amount of trust by balancing no trust and too much trust. Control is the second element that must be balanced. Designing a security  policy involves defining what the policy is, understanding the security policy cycle, and knowing the steps in policy development. The different types of policies are:

Acceptable Use Policy
Access Control Policy
Application Control Policy
Antivirus Policy
Asset Management Policy
Electronic Messaging Policy
IT User Accounts Policy
Monitoring and Logging Policy
Passwords Policy
Remote Access Policy

Describe how awareness and training can provide increased security.

     Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT).  Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contract or temporary staff.  Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.


http://www.comptechdoc.org/independent/security/policies/
http://www.slideshare.net/R_Yanus/Employee-Security-Training1
http://searchconsumerization.techtarget.com/definition/security-awareness-training

No comments:

Post a Comment