Risk control strategies

Last updated

Risk Control Strategies are the defensive measures utilized by IT and InfoSec communities to limit vulnerabilities and manage risks to an acceptable level. There are a number of strategies that can be employed as one measure of defense or in a combination of multiple strategies together. A risk assessment is an important tool that should be incorporated in the process of identifying and determining the threats and vulnerabilities that could potentially impact resources and assets to help manage risk. Risk management is also a component of a risk control strategy because Nelson et al. (2015) state that "risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment". [1]

Contents

Examples of Threats
Social Engineering
Theft
Vandalism
Forces of nature
Human error
Software errors
Hardware errors

Strategies

Five basic strategies to control risks that arise from vulnerabilities [2]

  1. Defense - Applying safeguards that eliminate or reduce the remaining uncontrolled risk
  2. Transferral - Shifting risks to other areas or to outside entities
  3. Mitigation - Reducing the impact of information assets should an attacker successfully exploit a vulnerability
  4. Acceptance - Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control
  5. Termination - Removing or discontinuing the information asset from the organization's operating environment

Defense

The defense strategy works to deter the exploitation of the vulnerability that requires protection. Defense methods can apply physical, logical, or a combination of both to provide protection as a defense strategy. The application of multiple layers of defensive measures is called defense in depth. Defense in depth applies access controls that Stewart et al. (2012) describe as "multiple layers or levels of access controls are deployed to provide layered security" [3]

Transferal

This strategy according to Stalling & Brown is the "sharing of responsible for the risk with a third party. This is typically achieved by taking out insurance against the risk occurring, by entering into a contract with another organization, or by using partnership or joint venture structures to share the risk and cost should the threat eventuate. [4] The act of purchasing insurance is an example of risk transferral.

Mitigation

The mitigation strategy attempts to reduce the damage of a vulnerability by employing measures to limit a successful attack. According to Hill (2012), "this can be done by fixing a flaw that creates an exposure to risk or by putting compensatory controls in place that either reduce the likelihood of the weakness actually causing damage or reduce the impact if the risk that is associated with the flaw actually materialized. [5]

Acceptance

This strategy accepts the identified risk and deploys no defense strategy. A reason for using an acceptance strategy is that the cost associated with deploying safeguards outweighs the damage of a successful attack or compromise.

Termination

Instead of using a safeguard to protect an asset or deploying zero safeguards and accepting the risks to an asset, this strategy removes the asset from the environment with risks. An example of this strategy would be to remove a server from a network because the company has determined that termination of the resource outweighs the benefit of leaving it on the network due to risk concerns.

Related Research Articles

Information security Protecting information by mitigating information risks

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible or intangible. Information security's primary focus is the balanced protection of the confidentiality, integrity, and availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

Risk management Set of measures for the systematic identification, analysis, assessment, monitoring and control of risks

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Security Degree of resistance to, or protection from, harm

Security is protection from, or resilience against, potential harm caused by others, by restraining the freedom of others to act. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change.

Security management is the identification of an organization's assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

Broadly speaking, a risk assessment is the combined effort of:

  1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment ; and
  2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors.
Vulnerability (computing) Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

Federal Information Security Management Act of 2002 United States Law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Mitigation is the reduction of something harmful or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain in potentia, or to manage harmful incidents that have already occurred. It is a stage or component of emergency management and of risk management. The theory of mitigation is a frequently used element in criminal law and is often used by a judge to analyse and conclude on cases such as murder, where a perpetrator is subject to varying degrees of responsibility as a result of one's actions.

Critical infrastructure protection

Critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation.

A chief security officer (CSO) is an organization's most senior executive accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, operational, strategic, financial and reputational security risk strategies relating to the protection of people, intellectual assets and tangible property.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

IT risk management

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The project was initiated early in 2008 in response to extreme data losses experienced by organizations in the US defense industrial base. The publication was initially developed by the SANS Institute. Ownership was then transferred to the Council on Cyber Security (CCS) in 2013, and then transferred to Center for Internet Security (CIS) in 2015. It was originally known as the Consensus Audit Guidelines and it is also known as the CIS CSC, CIS 20, CCS CSC, SANS Top 20 or CAG 20.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Food defense is the protection of food products from intentional contamination or adulteration by biological, chemical, physical, or radiological agents introduced for the purpose of causing harm. It addresses additional concerns including physical, personnel and operational security.

A defence in depth uses multi-layered protections, similar to redundant protections. The intention is to create a reliable system using the multiple layers, rather than depending on any one layer to be perfectly reliable.

References

  1. Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to computer forensics and investigations (5th ed.). Boston, MA: Cengage Learning.
  2. Whitman, M. E., & Mattord, H. J. (2014). Management of information security (4th ed.). Stamford, CT: Cengage Learning.
  3. Stewart, J., Chapple, M., & Gibson, D. (2012). CISSP: certified information systems security professional study guide (6th ed.). Indianapolis, IN: Wiley.
  4. Stallings, W., & Brown, L. (2015). Computer security principles and practice (3rd ed.). Upper Saddle River, NJ: Pearson Education, Inc.
  5. Hill, D. G. (2009). Data protection. Boca Raton, Florida: CRC Press.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.