Professional Documents
Culture Documents
Lec 3SecurityProcess
Lec 3SecurityProcess
Lecture 3
SECURITY PROCESSES
▪ Education
▪ Vulnerability management
▪ Issue management
▪ Risk management
▪ Incident management
ISSUE MANAGEMENT
▪ Security issue management is a preventive and
corrective measure.
▪ It identifies and fixes exposures before the
abusers can take advantage of them.
SECURITY ISSUES
• Vulnerabilities uncovered by the security advisory
process.
• Deviation from security policy
• Vulnerability uncovered during security testing
• Security incidents
RESOLVING SECURITY ISSUES
•Issue fixed
• Fixing the security exposure is the best outcome.
•Issue mitigated
• Second option is to find a compromise. When a risk is
mitigated, a degree of security is implemented to reduce the
risk represented by the exposure. e.g. implementation of
firewall to block particular network traffic instead of installing
software patch on the server.
•Risk accepted
• Third option is to accept the risk and decide not to address
the security problem. This is the least desirable outcome.
EXAMPLE
•If a security vulnerability is found with in the Red Hat Linux
operating system, and a company can not upgrade the
various deployed servers because upgrading may break
business applications, a firewall may be able to block the
necessary ports to prevent attackers form exploiting
vulnerability.
SECURITY RISK MANAGEMENT
•This is a preventive security control .
•It compares the financial cost of implementing security
measures with possible cost of security breach.
•The risk management is an extension of issue management
process.
EXAMPLE
•If a Red Hat Linux server does not have the latest patch
installed, this exposure should be tracked through the
security issue management process.
•However imagine a situation in which the system
administrator notifies the application developers that a patch
is imminent, to this notice application developer respond the
warning that the implementation of the patch will break their
application . If management decides that the patch should be
installed regardless of the application problem the issue
management process is then followed until the issue is
closed.
•If the management agrees that the application is critical, the
management team must accept the risk and initiate the risk
management process.
RISK MANAGEMENT
PROCESS
•Assessing risk
• Quantitative risk assessment provide the financial figures by
comparing control cost vs. threat cost.
• Qualitative risk assessment consist of subjective
components, such as professional experience, education,
judgment to analyze the risk.
•Managing risk
• The accepted risk must be assessed on regular basis to
decide either to fix the problem or allow t to remain untreated.
SECURITY INCIDENT
MANAGEMENT