150 likes | 837 Views
Risk Management Vs Risk avoidance. William Gillette. Security System Development Life Cycle An Overview. Investigation Teams of employees define the problem, scope and set goals/objectives and check feasibility of the project Analysis
E N D
Risk Management Vs Risk avoidance William Gillette
Security System Development Life CycleAn Overview • Investigation • Teams of employees define the problem, scope and set goals/objectives and check feasibility of the project • Analysis • Looks at current security policies, threats, controls, and legal issues that could impact a new security policy/system. Risk management stage • Design • The logical and physical design of security system. Risk avoidance stage • Implement • The purchase or development of security solutions. • Maintenance • Security systems constantly need updating, modifying and testing
Risk Management • Defined: • The process of identifying vulnerabilities in an organization’s information systems and or programs. Then taking steps to assure its confidentiality, availability, integrity, authenticity.
Risk Management Step by Step analysis • Step 1 Know yourself. • First, you must identify, examine, and understand the data/information and systems that interact on these elements. • Second, once you know what you have you can now look at what is already being done to protect these assets. • Third, Identify if these controls are being properly maintained and administrated.
Risk Management Step by Step analysis • Step 2 know you enemy • Now that you are informed of your organization’s assets and weaknesses you must identify, examine, understanding the treats facing your organization. • In turn you must also identify the aspects of the treats that will most directly effect you organization. • With your understanding of the threats you are now ready to create a list of treats prioritized by the importance of the threat and the asset. • Remember in business, business needs come first technology (including security mainly come second)
Risk Management Step by Step analysis • Step 3 know your community • Information security community: theses people understand the threats the most and often take a leadership role when it comes addressing threats. • Users and managers communities: when properly trained this group plays a critical part in the area of early detection. • Both groups are also responsible for • Evaluating risk controls • Determining which control option are cost effective • Acquiring or installing the needs for controls. • Overseeing that the controls remains effective.
Risk avoidance • Defined: • A risk control strategy that attempts to prevent attacks to organizational assets, through there vulnerabilities. • This is the most preferred risk control strategy as it seeks to avoid risk/treats entirely. • Avoidance is accomplish through countering treats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards.
Methods of risk avoidance • Avoidance through application of policy. • Avoidance through application of training and education. • Avoidance though application of technology.
Avoidance through application of policy • This mandates that procedure must be followed when dealing with a sensitive asset. • Example requiring random assigned password to access sensitive assets like customer databases.
Avoidance through application of training and education • New policies must be communicated to employees. In addition new technology requires training. • General security awareness issues. • Awareness, education, and training are essential if employees are to exhibit safe controlled behavior.
Avoidance though application of technology. • In the real world technological solutions are often required to assure that a risk is reduced. • The use of countering measure to reduce or eliminating the exposure of a particular asset to a specific treat. • Implementing safeguards to defect attack on systems and therefore minimize the probability of a attack will be successful.
Risk management Identifying vulnerabilities in an organization’s information systems and or programs Risk avoidance Control strategy that attempts to prevent attacks Risk Management Vs Risk avoidance
Bibliography • Information Technology for Management Henry C. Lucas 7th Edition Irwin McGraw-Hill • Principles of Information Security Michael E. Whitman Thomson Course Technology. • Information Security Issues that Healthcare Management Must Understand Journal of Healthcare Information Management Vol 17 # Winter 2003