| Risk Management is more then just doing a Risk | | | | - Preventive: attempt to avoid the occurrence of |
| Assessment... risk management is the process of | | | | unwanted events (inhibit attempts to violate |
| identifying assets and risk, assessing risk, taking steps | | | | information security). |
| to reduce risk to an acceptable level, and monitoring | | | | - Detective: attempt to identify unwanted events |
| to ensure success. Monitoring closes the loop and | | | | after they have occurred (warn of violations or |
| helps identify new security requirements; you'll never | | | | attempted violations). |
| be finished with risk management, any more then | | | | - Deterrent: attempt to discourage threat agents |
| you'll every be finished with managing your personnel | | | | from violating information security. |
| or your money or infrastructure. | | | | - Corrective: attempt to remedy the circumstances |
| Information is an asset which, like other important | | | | that allowed the event, or return conditions to what |
| business assets, has value and consequently needs to | | | | they were. |
| be suitably protected. The protection of information | | | | - Recovery: attempt to restore lost resources or |
| includes the three security objectives of | | | | capabilities and help recover monetary losses. |
| confidentiality, integrity, and availability, and the | | | | - Containment: attempt to limit the impact (injury or |
| business requirement of acceptable use. Information | | | | loss). |
| security protects information from a wide range of | | | | For each of the three objectives (CIA), there are a |
| threats in order to ensure business continuity, | | | | total of three types of safeguards (APL) each with a |
| minimize business damage, and maximize return on | | | | possibility of 6 controls (PDDCRC); a total of 54 |
| investments and business opportunities. | | | | possibilities... lots for you to choose from to protect |
| Information can exist in physical, electronic, or | | | | your information. |
| intellectual form. It can be printed or written on | | | | The primary objective or end result of all of this is to |
| paper, stored electronically, transmitted by post or | | | | get the appropriate protection in place to reduce risk |
| using electronic means, shown on films, or spoken in | | | | to an acceptable level. The acceptable risk level is |
| conversation. Whatever forms the information takes, | | | | based on the business impact that would be |
| or means by which it is shared or stored, it should | | | | experienced if certain risks were realized. The |
| always be appropriately protected. | | | | following list could be used as a basis for determining |
| Risk is the net negative impact of the exercise of a | | | | when a risk is acceptable or, perhaps, tolerable. A risk |
| vulnerability, considering both the likelihood and the | | | | is acceptable when: |
| impact of occurrence. The ultimate goal of risk | | | | - it falls below an arbitrary defined probability, |
| management is to identify the security and privacy | | | | - it falls below some level that is already tolerated, |
| requirements to protect information assets and to | | | | - it falls below an arbitrary defined fraction of total |
| implement cost-effective safeguards required to | | | | revenue for the company, |
| meet those requirements. | | | | - the cost of reducing the risk would exceed the |
| As mentioned above, the primary requirements for | | | | costs saved, |
| information security are the protection of | | | | - the cost of reducing the risk would exceed the |
| confidentiality, integrity, and availability (the CIA triad); | | | | costs saved when the 'costs of suffering' are also |
| and the concept of "need to know" or "acceptable | | | | factored in, |
| use" of the information. If CIA is compromised the | | | | - the opportunity costs would be better spent on |
| information asset can be inappropriately disclosed, | | | | other, more pressing, company issues, |
| modified, or destroyed and is considered a risk to the | | | | - executive, senior management, or the board say it |
| company. Inappropriate use could also pose a risk to | | | | is acceptable, |
| the company. A balance must be struck between | | | | - the general public say it is acceptable (or more |
| openness of access to information for "mission | | | | likely, do not say it is not), |
| accomplishment" (i.e. what's required to "do my job") | | | | - politicians, via legislation, say it is acceptable. |
| and locking the information down too tightly. Once | | | | To set a company wide acceptable risk level you |
| identified, risk can be handled in a number of ways, | | | | must understand your legal requirements, your |
| including: ignore, avoid (prevent), mitigate (reduce), | | | | regulatory requirements, your business drivers and |
| transfer, or accept. | | | | objectives, and you must carry out threat risk |
| Information security, or more specifically "risk | | | | assessments for your sensitive and critical information |
| mitigation", is achieved by implementing a suitable set | | | | assets. |
| of safeguards, which could be (APL): | | | | In summary then the full process to follow is: |
| - administrative: policies, practices, procedures, org | | | | |
| structures, awareness and training; | | | | 1. identify your information assets and potential |
| - physical: locks, guards, badge access, fire | | | | threats and risks (natural or man-made), |
| suppression, flood control; | | | | 2. conduct a threat risk assessment to determine |
| - logical: computer or technology related security | | | | recommended safeguards, |
| functions. | | | | 3. take the steps necessary to reduce risk to an |
| Safeguards are also referred to as security controls | | | | acceptable level, |
| or countermeasures (or just measures). Each of | | | | 4. monitor the usage of your information to ensure |
| these can have a number of Security Controls as | | | | successful protection. |
| follows (PDDCRC): | | | | |