Risk Mitigation

Last week we learned about the Risk Management: controlling risk. The chapter talked about different risk handling procedures, feasibility analysis and recommended risk control practices. When we talk about Risk Management, it is important to talk about Risk Mitigation.

In simple terms, Risk mitigation is taking steps to reduce any adverse effects. It is a process by which organization introduce specific measures to minimize or eliminate unacceptable risks associated with its operations. There is no doubt that we are surrounded by different kinds of risk. To understand those risks and implementing the appropriate strategies to mitigate and manage risk, it is important we learn about Risk mitigation.  

 

There are different ways to mitigate the risk. Some of the risk mitigation handling options are:

Ø  Assume/Accept:   Project manager acknowledge the existence risk and make a decision to accept it without changing any project plan other than just agreeing to address the risk if it occurs.

Ø  Avoid: The team adjusts the project requirements to eliminate or reduce the risk. The adjustment could be done by changing the funding, schedule or any other technical requirements.

Ø  Control: Implementing actions to minimize the impact or likelihood of the risk.

Ø  Transfer: Changing or reassigning the organizational accountability, responsibility and authority to another stakeholders or project teams that are willing to accept the risk.

Ø  Monitor: Monitor the environment for changes that affect the nature or impact of the risk.

 

Overall, Risk mitigation is all about understanding those risks that can impact the objectives of the organization and taking appropriate steps to reduce or eliminate the risks.

 

Reference:

Anonymous (Feb, 2011). Risk Management: Understanding Risk Mitigation. Retrieved from URL: http://www.ica.bc.ca/ii/ii.php?catid=17

 

Anonymous (N.d.). Risk Mitigation Planning, Implementation, and Progress Monitoring. Retrieved from URL: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

Threat Identification

Any organization can face wide variety of threats. A threat is some action or event that can lead to a loss. Threats and risk are usually used synonymously. Threats and risk always exist and cannot be avoided, but they managed to minimize the risk. Organization should be able to manage and minimize the losses in order to maximize the returns. It is very important for any organization to identify these threats and steps should be taken to control threats. Regular monitoring is necessary to control the threats as well.

 

Types of Threat:

Physical Threat: Physical threats are damaged caused to the physical infrastructure of the information system. Some of the examples are fire, water, energy variations, structural damage, pollution, intrusion.

 

Local Threat: Logical threats are damage caused to the software and data without physical presence. Some examples include viruses and worms, logical intrusion etc.

 

There are two approaches to threat identification.

Consider Common Threat:

In order to asses’ threat, consider the common threats like people, software and natural disaster.  There can be number of ways threat can occur. For e.g.  A employee could disclose the data. Or a software program could destroy data.

 

Review Properties:

In order to assess assets consider their properties like availability, integrity and confidentiality. Classify threats that may affect these properties: destruction, interruption, removal or loss, disclosure and corruption (toolbox.com).  

 

It is important for organization to understand the various threats and their potential effects on an information asset. Organization should be able to identify which threats presents a danger and which threats represents the gravest danger to their information assets.

 

Reference:

Anonymous (n.d.). Threat Identification. Retrieved from URL: http://www.zeepedia.com/read.php?threat_identification_types_of_threats_control_analysis_impact_analysis_occurrence_of_threat_information_systems&b=14&c=30. Retrieved on : Oct 22, 2014

 

Borysowich, C (Jul, 2009). Identifying security Threats. Retrieved from URL: http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182. Retrieved on: Oct 22, 2014.

 

Issue-Specific Security Policy

Issue-Specific Security Policy is one among three other Information security Policy. I found Issue-specific security policies (ISSP) more common policy used by business and organizations. Issue-specific policies may cover electronic mail, use of internet, Home use of company-owned computer equipment, use of personal equipment on company networks, use of telecommunications technologies etc. It provides a detailed, targeted guidance to instruct all members of the organizations in the use of resources.

The overall objective of ISSP is pretty clear. It assures employees and members of organization what resources can be used and what cannot be used.  An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made good faith effort to ensure that its technology will not be used in an inappropriate manner. (p. 134, Whitman, Mattford)

Every Organization’s ISSP has three characteristics

Ø  It addresses specific technology-based resources.

Ø  It requires frequent updates.        

Ø  It contains an issues statement explaining the organization’s position on a particular issue.

Components of a typical ISSP:

1.       Statement of Purpose

a.       What is the scope of the policy

b.      What technology and issue it addresses

c.       Who is responsible and accountable for policy implementation

2.       Authorized access and usage

a.       Who can use the technology governed by the policy

b.      What the technology can be used for

c.       What constitutes ‘fair and responsible’ use of technology and it may impact ‘personal information and privacy’

3.       Prohibitive use of equipment

a.       What constitutes disruptive use, misuse , criminal use

b.      What other possible restrictions may apply

4.       System management

a.       Which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of email & other electronic documents)

5.       Violation of Policy

a.       What specific penalties, for each category of violation, will apply

b.      How to report observed or suspected violations – openly or anonymously

6.       Policy review and modifications

a.       How is the review and modification of the policy performed, so as to keep as ‘current’ as possible

7.       Limitation of Liability

a.       How is liable if an employee violates a company policy or law

Whitman, M.E., & Mattord, H.J. (2014). Management of Information Security (4th ed.). Stamford, Cengage Learning

The Importance of Security Awareness Training

Cyber threat has been a major concern in IT world today.  Recent data breach in many companies like Chase, Home depot, Target has already proved that companies need to build their IT security strong enough to avoid any further damage.  Threat can come from anywhere, it may come from within an organization or outside the organization. But when threat comes from inside the organization, it is most dangerous since the employees are quite familiar with the infrastructure of an organization.  Most of the time when the threat comes from inside the organization it is either from accident or uninformed employees.

 

Many in organization who are not informed about the security threat often visit websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location or even giving out sensitive information over the phone when exposed to social engineering (sans.org). This can expose to major security threat to the organization.  Important information can leak.  One of the best ways to avoid these kinds of threat is providing with security awareness training to company employees. Organization can institute company-wide security awareness training initiatives like formal classroom style, seminars, discussion group, regular emails or posters in the break room. This will help ensure employees have a solid understanding of company security policy, procedure and best practices (sans.org)

 

Below are two You Tube videos that provide the importance of Information security awareness.

 

 

 

 

 

 

Source:

Sans (n.d.). The importance of Security Awareness training. Retrieved from URL: http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013. Retrieved on: October 9, 2014

 

Sayes, A (Mar, 2012). Physical & Information Security Awareness. Retrieved from URL: https://www.youtube.com/watch?v=tmOGJVDvJaQ. Retrieved on : October 9, 2014

 

Anonymous (Feb,2013). IT Security Awareness Week. Retrieved from URL: https://www.youtube.com/watch?v=LWi_ljAIhcM. Retrieved on: October 9, 2014

 

Importance Of Security Policy

Maintaining the information security is core part of the business today. Many businesses today maintain the security as an essential part of their business. It is also important for business to maintain the availability, integrity and confidentially of information in order to remain in business. Failing to maintain those three core values of information security might lead to unsuccessful business. 

Some of the important information like manufacturing records, sales, financial, customer, employee records are kept on computers. But how safe are all these information. In today’s digitized world, with the access of Internet this information can be easily stolen from any parts of the world.  Some of our confidential information can be compromised. Business might implement strong security technologies to avoid any kinds of hack. But how about the policies and procedures that will help keep your business/organization’s information confidential? It is very important to create and implement several security policies to define the overall security strategy.

 

All the business must have an information security policy that covers Enterprise information security policy, Issue-specific security policy (ISSP) and System-specific security policies. An Enterprise information security policy will focuses on issues relevant to every aspect of an organization.  It sets the strategic direction, scope and tone of an organization’s security efforts. An Issue-specific security policy security policy provides detailed, targeted guidance to instruct all members of the organization in the use of resources.  It focuses on specific department, network services, and function. A system specific security policy focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls (Marcelo Ferreira’s linkedin post).

 

No matter how large or small your organization is, it is very important to have a information security policy in place. It will provide a framework to keep your company at a desired security level by assessing the risks you or your organization might face.  Think about this, your organization’s information is crown jewels of your business. You wouldn’t want someone to steal your crown jewels, right? You want to keep it safe and secure.  I strongly believe, every organization should have a strong information security policy.

 

Reference:

Ferreira, M (n.d.). Why having an information security strategy is important for an organization. Retrieved from URL: http://www.linkedin.com/groups/Why-having-information-security-strategy-3138056.S.91456697

 

Kadam, A (n.d.). Why information security is important for your Organization. Retrieved from URL: http://www.networkmagazineindia.com/200209/security2.shtml