RSS |
 |
| F E A T U R E | |
| |
Risk-Assessment Strategies October 30, 2000 By Brooke Paul You've been asked to act as the security representative on a high-profile B2B e-commerce project. After examining the requirements provided by the project manager, you submit your recommendations for ensuring that the project is securely implemented. A few weeks later, you find yourself in several meetings in which your concerns are called paranoid, expensive and unnecessary. As if things aren't bad enough, the vice president overseeing the project requests justification for each of your recommendations. You know intuitively that security problems will crop up if your recommendations aren't followed, but you're now forced into a situation where you need hard facts to back your gut feelings. How can you quickly and efficiently provide the justification the VP is requesting? What could you have done to avoid the situation altogether? The answers are found in risk assessment, a critical part of any risk-management program. Purpose of Risk Management All business decisions, in IT or otherwise, are an exercise in the evaluation of the risk of inaction versus the cost of action to reduce risks (real or perceived). Risk management is helpful in answering questions such as whether failing to upgrade your file-and-print server will affect the ability of users to do their jobs properly; whether implementation of the latest intrusion-detection technology will reduce the likelihood of someone breaking into your e-mail server; and whether a firewall is necessary to protect your Web server, or if simple router ACLs (access control lists) will suffice. Furthermore, a risk-management process will help you prioritize these issues should you lack the resources necessary to address them all immediately. In today's hypercompetitive world, the use of risk management is vital to the long-term success of your company. Not all risks can be eliminated: The cost in resources and time would be prohibitive. In fact, most businesses need to take some risks to gain a competitive edge. Therefore, you must decide when and where educated risks can be taken and how finite resources should be allocated to reduce risk and support business strategies. Risk management enables sound judgment when taking risks, and affords a level of contingency planning should a risk become a reality. Understanding the risks to company assets is the starting point of a risk-management process. Once you understand the risks to your business, you'll be able to make sound decisions on whether to accept, mitigate or transfer those risks. In addition, risk management pulls together data from other security areas, such as vulnerability analysis and operations monitoring, to provide an overall view of business risk. The focus of this discussion is the application of techniques for risk management and risk assessment to modern information-security practices. Risk Management in a Nutshell Risk management can be loosely defined as a systematic process for the identification, analysis, control and communication of risks. In the business world, these risks may vary from the mundane (the risk of an accounting error, for example) to the esoteric (say, the risk of a cracker taking advantage of a little-known application bug). Risk management should be integrated into the life cycle of any process or project that's important to a business. The use of a risk-management methodology lets a company make informed decisions about the allocation of scarce resources to areas that are the most at risk. Risk management should be an ongoing activity that includes phases for assessing risk, implementing controls, promoting awareness and monitoring effectiveness. At the heart of risk management is the evaluation of the potential impact of threats on the ability of a company to continue providing products or services to customers. This evaluation phase of the process is risk assessment. Risk assessment--often confused with vulnerability assessment/analysis, which is a critical phase in any security-risk assessment--is widely used in both the public and private sectors to support decision-making processes. Employing risk-assessment methodologies to drive decision-making processes around security and associated technology allows for consistent and effective use of decision-support data, as well as removal of technical bias from what are essentially business decisions. Risk-Assessment Process Overview Risk assessment is a process for tying together information gathered about business assets, their value and their associated vulnerabilities, to produce a measure of the risk to the business from a given project, implementation or design. Types of Risk Assessment Of the many risk-assessment methodologies employed, the most common is ad hoc--someone believes a risk exists and convinces management that the risk should be addressed. Although this type of qualitative risk assessment works sometimes for small organizations, it doesn't scale for large enterprises; often, the reasoning behind the assessment is a recent incident that has received wide news coverage. Clearly, a more systematic methodology is necessary to properly identify and categorize risks. An analysis of the numerous risk-assessment methodologies is beyond the scope of this discussion, but it's important to note that each methodology has been developed to meet specific needs, each has strengths and weaknesses, and each may or may not apply to a given situation (see "Some Methodologies for Risk Assessment). Regardless of the methodology you choose, risk assessments generally follow a five-phase approach. The critical aspect of any risk assessment is that it ties a threat or vulnerability to a business asset or process. The analysis method provides the probability measure, whether it's based on a formal methodology (as in tree analysis) or on past experience (historical analysis).
| |
|
PAGE: 1 I 2 I 3 I 4 I 5 I NEXT PAGE |
|
Upcoming Events
Cloud Connect
Santa Clara
Feb 13-16, 2012
Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.
Register Now!
Subscribe to Newsletter
- Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Vendor NewsFeed
- CollabNet Adds Git Source Code Management To Codesion Enterprise Cloud Development Platform
- Synology Announces New Line Of Economical RackStation Network Attached Storage
- New Application Server From AquaFold Makes Data Warehousing And Business Intelligence Fast And Simple
- Synology Announces 2 Bay Series - A NAS For Every Network
- Ericom AccessNow For Enterprise Portals - Secure, Portal-based, HTML5 Web Access To Windows Applications, Desktops And Services
- Good Technology Announces iOS 5 Support For Good For Enterprise
Research and Reports
FEATURED RESEARCH
State of Server Technology
FEATURED STRATEGY
The Long-Distance LAN
Register for Network Computing Pro
Find hundreds of reports featuring research from your peers, and best practices from top IT pros. Sign UpAugust 2011
Video
Most Popular
Featured Whitepapers
- Microsoft Dynamics AX solutions from IBM Powerful, agile and simple enterprise resource planning
- Securing Your Private Keys as Best Practice for Code Signing Certificates
- Seven Best Practices for Increasing Efficiency, Availability and Capacity: The Enterprise Data Center Design Guide
- The Social Business: Advent of a new age
- Best Practices and Applications of TLS/SSL
Featured Reports
BlogRoll
TechWeb Careers
-
There are a number of job listing scams naming Network Computing. For our official career postings, please see UBM TechWeb Career Opportunities.
