Professional Documents
Culture Documents
Risk Control
Risk Control
And
Physical Security
By William Gillette
Top 10 Security Mistakes
Avoidance
Transference
Migration
Acceptance
Quick Review
Risk avoidance
Defined:
A risk control strategy that attempts to prevent attacks to
organizational assets, through there vulnerabilities.
This is the most preferred risk control strategy as it
seeks to avoid risk/treats entirely.
Avoidance is accomplish through countering treats,
removing vulnerabilities in assets, limiting access to
assets, and adding protective safeguards.
Methods of risk avoidance
Defined
Is a control approach that attempts to shift the risk to other
assets, other processes, or other organization.
This is accomplished through
rethinking/reengineering services, revising
development models, outsourcing to other
organizations or implementing service contracts
Common choice for larger companies
Risk Transference
Advantages outsourcing
Outsource company focuses their energy and
resource on their expertise
Allows parent company to concentrate on the
business they know. Example Kodak
Disadvantages
Cost tend to be high for these services, and they
require very detailed legal contracts to garreteer
service and recovery.
Risk Migration
Defined
control approach that attempts to reduce the impact caused
by the exploitation of vulnerability through planning and
preparation.
Three type of plans.
Disaster recovery plan
Incident response plan
Business continuity plan
Each of these strategies depends on the ability to detect and
respond to an attack as quickly as possible. All migration
strategies start with early detection.
Disaster Recovery Plan
Define
Preparations for recovery should a disaster occur; Strategies to limit losses
before and during disasters; Step by step instructions to regain normalcy.(This
is the most common of the migration procedures)
Examples
Procedures to recover loss data (data/media back up)
Procedures for the reestablishment of lost services.
Procedures to protect currently available assets(shut down)
When its Deployed
Immediately after the incident is labeled a disaster
Time frame
Short-term recovery
Incident Response Plan
Define
Actions an organization takes during an attack, IRPs are predefined, specific
or ad hoc, and reactive.
The what do I do now!
Example
information analysis, intelligence gathering, list of steps to be taken
during an attack
unauthorized copy example
When its deployed
as the attack or disaster unfolds.
Time frame
immediate and real-time reaction
Business Recovery plan
Define
Steps to ensure continuation of the overall business when the scale of the
disaster requires relocations.
Examples
Preparations steps for the activation of a secondary data center.
Establishment of a hot site in a remote location. Many companies have
this service as a contingency against disastrous events
When its deployed
after it has been determined that a disaster/attack affects the continuos
operation of the organization.
Time frame
long term recovery.
Acceptance
Define
In contrast to other control, acceptance is a method of doing nothing to
protect vulnerabilities and accept the outcome of its exploitation.
To use this control the following must be taken into account.
Determined the level of risk
Assessed the probability of attack
Estimated the potential damage that could occur from attacks
Performed a thorough cost benefit analysis
Take in account the feasibility of other controls
Decide if particular functions /assets/data do not justify the cost of protection
yes yes
System/program Is system/program Is system/program
as designed vulnerable exploitable?
No
No
No Risk No Risk
No No
Control function:
Controls and safeguards designed to defend vulnerabilities
through prevention or detection.
Uses both technological protection (encryption) and
enforcement measures Policies
Architectural layer
Controls applied to more then one layer of a system
Firewalls
Strategic
Controls that are specific to a risk control method
Other Factor on Deciding a
Risk Control Method
Feasibility studies
Cost benefit analysis
Asset validation
Organizational feasibility
Technical feasibility
Physical Security
Defined
Describes protection needed out-side a system
/program
Typically physical controls include Id cards, guards,
locks, and cameras. But can also include items to
protect against disasters.
Types of Physical security