Transcript Risk Management Vs Risk avoidance

Risk Management
Vs
Risk avoidance
William Gillette
Security System Development Life Cycle
An Overview

Investigation


Analysis


The logical and physical design of security system. Risk avoidance stage
Implement


Looks at current security policies, threats, controls, and legal issues that
could impact a new security policy/system. Risk management stage
Design


Teams of employees define the problem, scope and set goals/objectives
and check feasibility of the project
The purchase or development of security solutions.
Maintenance

Security systems constantly need updating, modifying and testing
Risk Management

Defined:

The process of identifying vulnerabilities in an
organization’s information systems and or programs.
Then taking steps to assure its confidentiality,
availability, integrity, authenticity.
Risk Management
Step by Step analysis

Step 1 Know yourself.
First, you must identify, examine, and understand the
data/information and systems that interact on these
elements.
 Second, once you know what you have you can now
look at what is already being done to protect these
assets.
 Third, Identify if these controls are being properly
maintained and administrated.

Risk Management
Step by Step analysis

Step 2 know you enemy




Now that you are informed of your organization’s assets and
weaknesses you must identify, examine, understanding the
treats facing your organization.
In turn you must also identify the aspects of the treats that
will most directly effect you organization.
With your understanding of the threats you are now ready to
create a list of treats prioritized by the importance of the
threat and the asset.
Remember in business, business needs come first technology
(including security mainly come second)
Risk Management
Step by Step analysis

Step 3 know your community



Information security community: theses people understand
the threats the most and often take a leadership role when it
comes addressing threats.
Users and managers communities: when properly trained this
group plays a critical part in the area of early detection.
Both groups are also responsible for




Evaluating risk controls
Determining which control option are cost effective
Acquiring or installing the needs for controls.
Overseeing that the controls remains effective.
Risk avoidance

Defined:



A risk control strategy that attempts to prevent attacks to
organizational assets, through there vulnerabilities.
This is the most preferred risk control strategy as it
seeks to avoid risk/treats entirely.
Avoidance is accomplish through countering treats,
removing vulnerabilities in assets, limiting access to
assets, and adding protective safeguards.
Methods of risk avoidance



Avoidance through application of policy.
Avoidance through application of training and
education.
Avoidance though application of technology.
Avoidance through application of
policy

This mandates that procedure must be followed
when dealing with a sensitive asset.

Example requiring random assigned password to
access sensitive assets like customer databases.
Avoidance through application of
training and education



New policies must be communicated to
employees. In addition new technology requires
training.
General security awareness issues.
Awareness, education, and training are essential
if employees are to exhibit safe controlled
behavior.
Avoidance though application of
technology.



In the real world technological solutions are
often required to assure that a risk is reduced.
The use of countering measure to reduce or
eliminating the exposure of a particular asset to
a specific treat.
Implementing safeguards to defect attack on
systems and therefore minimize the probability
of a attack will be successful.
Risk Management Vs Risk avoidance

Risk management


Identifying vulnerabilities in an
organization’s information systems
and or programs
Risk avoidance

Control strategy that
attempts to prevent
attacks
Bibliography



Information Technology for Management
Henry C. Lucas 7th Edition Irwin McGraw-Hill
Principles of Information Security Michael E.
Whitman Thomson Course Technology.
Information Security Issues that Healthcare
Management Must Understand Journal of
Healthcare Information Management Vol 17 #
Winter 2003