Enhancing Information Security Through the Use of Risk Management

http://blog.icorps.com/bid/134760/5-IT-Security-Mistakes-That-Companies-Still-Make

There is no escaping risk.  Risk is present in just about every activity that is conducted by an organization.   Risk is also present in the functions that we conduct on a daily basis at home.  If left unmanaged, risk can elevate to a level that could potentially have catastrophic and often irreversible affects especially in the information technology world.  On the other hand, risk that is managed reinforces a security program by controlling or mitigating risks.

In order to control and mitigate risk it is important to develop a risk management plan.  A risk management plan can be completed in 2 phases.  The first phase is risk identification and assessment.  During this phase assets are inventoried, threats and vulnerabilities are identified, and risk factors are calculated for each asset.  After, the risk factors are calculated each asset can be prioritized according to the given risk factor.  Last, controls in the form of policies, programs, and/or technical controls are developed for each threat with a vulnerability associated to it (Whitman & Mattord, 2010, p. 276-301).

The second phase of the risk management process is risk control.  During this phase risk control strategies are utilized to control the risks that are created by the vulnerabilities. According to Whitman and Mattord (2010) there are four strategies that can be utilized to control risk.  The four strategies are avoidance, transference, mitigation, and acceptance (p. 309).

Risk avoidance are techniques that are implemented through the use of policies, training and education, threat countering, and/or technical controls to fortify assets with vulnerabilities.  Risk transference is a method utilized to pass risk to another asset or organization.  Risk mitigation is a strategy used to lessen the severity of an incident or disaster by ensuring plans are prepared that address detection and rapid response.  Risk acceptance the strategy of accepting a risk for what it is because the cost of protection exceeds the value of the asset (Whitman & Mattord, 2010, p. 276-301).

Another strategy that Whitman & Mattord do not identify but is listed in National Institute of Standards and Technology (NIST) Special Publication 800-39 (2011) is risk sharing.  Risk sharing is similar to risk transference; however, it only shifts a portion of the risk whereas risk transference transfers the entire risk to asset or organization (p. 43).

One of the most important steps in the risk management process is monitoring and reevaluation.  Threats are constantly changing and new vulnerabilities are being discovered.  Therefore, risk assessments and strategies should be conducted regularly to ensure that the control is maintained and risks that are mitigated continue to be mitigated.

After all this you may be wondering how this all fits into Internet scams. Well, when properly conducted, an information security risk assessment should include the assets that could be affected by the threats that are associated with Internet scams.  After the assessment is completed and a risk rating factor is assigned to each asset, a single or combination of control strategies can be implemented to control and/or mitigate the risk related to each asset that can be affected by an Internet scam.  Or you can choose to not utilize the risk management process, roll the risk dice, and hope you have done everything you can to protect the assets under your control.

References:

NIST SP 800-39 managing information security risk. (2011, March). Retrieved February 5, 2013, from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

[Risk]. (2012, September 27). Retrieved from http://blog.icorps.com/bid/134760/ 5-IT-Security-Mistakes-That-Companies-Still-Make

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.