THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Managing Threats
The area of Risk Management can be all-consuming and can be difficult to address due to all the variables that need to be included in the process. The process for addressing risk should be thought out ahead of time and then communicated to all those with the responsibility for the mitigation process. Having these discussions ahead of time will keep everyone on the same sheet of music when it comes to remediation of the findings after an audit or some other process, which found potential risks. Risk Identification Organizations of various sizes try to identify risks as soon as possible and remediate them in an effective manner in order to reduce the overall threat that the risks pose to the company. While some audits or review processes will quickly pick up potential risks, the way that most businesses will accomplish this task will be to utilize a vulnerability management application to scan the network assets in order to determine what risk they pose to the business. Some vulnerabilities pose a greater risk than others due to the severity of the potential impact or the amount of damage they might post to the organization. Risk Rating While rating risks can be very subjective, it is important to understand that various organizations and service businesses will rate the same vulnerability or risk differently. This is an issue with most organizations, since nobody has a standard that they all go by. This causes a lot of confusion and leads to mislabeling of possible risks. A risk rating is needed by any IT Security Team in order to address the highest risk areas first. As it turns out, there are a couple of ways in which to rate risks and score them. Qualitative vs. Quantitative The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities without requiring extensive financial analysis. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult. The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts magnitude, which can be used in the cost-benefit analysis of recommended controls. While determining risk can be a very subjective exercise, it can also lead to ways to help your business or organization address risks or threats in a systematic manner. With all of the various areas that IT Security personnel have to deal with, this process elevates the any sort of issues and takes the human factor out of the equation. Mitigation Strategy A mitigation plan will need to be developed for each of the identified potential risks to the business or organization. The mitigation strategy will be based on the potential impact of the risk and what would be needed to remediate the risk to the business. Some of the types of mitigation strategies are listed below:
Controls Controlling risks to an organization is one of the keys to effective IT Security Management. Controls can be implemented in a variety of ways and may take on many forms depending on the needs and the amount of risk that needs to be mitigated in order to be within the realm of comfort for the business. Whether the controls are process changes or physical controls, such as, magnetic door locks, or secured manufacturing sites. Controls are developed and put into place in order to help the organization to better manage its overall risk exposure. Logical controls or procedural controls are important as well as the physical one since they will affect how the business operates and how certain procedures are completed. One of these controls may be to implement and Change Management Board (CMB) in order to validate any sort of change that is done to the network or the addition to, or deletion of network resources. This one control may help to eliminate the risk to a business for making frequent changes to its network or effecting its customers. Monitor An important aspect of Risk Management that seems to get lost in the shuffle sometimes is the need to monitor the risk and the mitigation strategy used for lowering the risk level. While some mitigation strategies will eliminate the risk altogether, others will leave some sort of residual risk that will be unable to transfer. These solutions will need to be monitored to make sure they are effective at reducing the risk that they have been designed for. Failure to monitor the remediation strategy may leave the business open to a greater threat than the risk potentially exposed in the first place. An improperly monitored remediation for a risk can be worse than not having a strategy at all. Summary While unidentified risks pose the largest threat to any organization. It is important to identify them as soon as possible, and to manage them in an effective manner. This will help the business to better address further threats or vulnerabilities that may arise from the risk. Most of the data breaches that continue to happen are because organizations don’t address risks in an effective manner. This gap is where the attackers focus their efforts since this will be the easiest areas of the business in which to attack. Failure to have an effective and responsive Patch Management Program will be a huge risk for a business. However, conversely, having an effective Patch Management Program can help to reduce an organizations overall risk exposure. It comes down to the organizations risk appetite and what they are willing or able to accept. In order to remediate a risk, the company will have to do something. Moreover, that something will cost them money, time, and effort of their staff. Failure to do anything may be worse since the organization knows about it, but fails to take the required actions to mitigate it. It comes down to the leadership of the organization want to handle things, and this is the battle that IT Security Professionals have to wage on a daily basis.
0 Comments
|
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|