Risk Management

• Security terminology

• Protection control types

• Security frameworks, models, and best practices

• Security enterprise architecture

• Security documentation

• Information classification and protection

• Security awareness training

• Security governance

 

The core goals of information assurance is; Availability, Integrity, and Confidentiality.

  • Availability protection ensures reliability and timely access to data and resources to authorized individuals and vendors.
  • Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and stopping any unauthorized modification of data is prevented.
  • Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure or breaches happen.

A threat is a danger that can be exploited by a vulnerability, and a risk is the likelihood of someone exploiting that vulnerability to impact your business? You already have enough risks in running a business. If you plan and create countermeasures that safeguard your IT assets. It’s one less risk thing you will have to worry about in the future.

 

Risk Management Framework

Controls are put into place to reduce the risk, but only if you plan for them. There are three main flavors: technical, administrative, and physical. Technical controls are the ones we will deal with here, and they relate to software or hardware components for example: firewalls, IDS, encryption, identification and authentications mechanisms….etc.

Control Types and Functions:

  • Deterrent - Discourage a potential attack
  • Preventive - Stop an incident from happening
  • Corrective - Fix it, after an incident has occurred
  • Recovery - Restore necessary components to live operations
  • Detective - Identify an incidents activities
  • Defense-in-depth - Implementing multiple control levels that make it more difficult to penetrate key systems.

The National Institute of Science and Technology (NIST), has a number of documents put together that can help in the process. Below is put a few you could look for.

 

• ISO/IEC 27003 Guideline for ISMS implementation

• ISO/IEC 27004 Guideline for information security management

measurement and metrics framework

• ISO/IEC 27005 Guideline for information security risk management

• ISO/IEC 27006 Guidelines for bodies providing audit and certification of

information security management systems

• ISO/IEC 27011 Information security management guidelines for

telecommunications organizations

• ISO/IEC 27031 Guideline for information and communications technology

readiness for business continuity

• ISO/IEC 27033-1 Guideline for network security

• ISO 27799 Guideline for information security management in health

Organizations

 

When it comes to a security framework, don’t practice security through obscurity. If you think that hackers are not as tricky and smart as you - your wrong! You will be surprise when all you’re client’s person data shows up on the internet for the highest bidder to buy. Moreover, don’t think just because your code is compiled hackers can’t read it. There is a wide range of tools one can use to reverse-engineer your software. Another common practice is to create your own in-house cryptographic algorithm, instead of using standard tested ones. Don't try to roll your own, because you will be sorry.

 

A security framework is made up of many parts: logical, administrative, and procedural. It's written in a way that everyone can understand it - not just the IT department. Hackers have been known to use any means to get access to your network, from social engineering techniques to dumpster diving. Whoever has access to your network needs to be trained and know the risk of letting an authorized person access.  

Print Print | Sitemap
© DigiBrains LLC