Article Options
Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, cosumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

An holistic view of security & risk 6 ways to ensure you've covered the bases.

the_integrator| February 27, 2012
2 Comments
0

Globalization, cloud, hacktivism — all add to the changing landscape of modern business. The opportunities, threats and associated risks are personal to individual organisations. But how do you determine which risks are applicable to your business? And once you know what risks you’re facing, what can you do?

 PMVista's Risk Management Guide gives a comprehensive list of the 13 categories of risk facing businesses today. Consideration to each will allow you to holistically assess the level of risk to each category of your business.



Follow these 6 steps to learn how to effectively mitigate risk in your business by assessing your level of risk in each category.

 

1.  Assess the real business risks and reduce them to an acceptable level.

When you have 13 categories to assess, it is easy to identify several risks which, although legitimate in themselves, may not be real to your business. In order to address this, we must look at more detail on what “risk” is.

Wikipedia defines “IT risk” as “Threat * Vulnerability * Asset Value.” To this we need to add “likelihood.” An example of a risk that is likely to happen could be car accidents. The likelihood is that at least one will happen daily—the impact can range from a little bit of bodywork, to millions in compensation. So serious can be the impact of this risk that the government requires motorists to take out insurance to mitigate this risk. In another example, the likelihood of water pipes freezing in India is very low, so a global water company would probably accept this risk yet apply protective measures to their pipes in Iceland. So when assessing risk, be sure it is real to your business and the costs associated in reducing it to an acceptable level are reasonable in proportion to the potential loss. 

Risk matrix.jpg



This table shows a simplified view of assessing Likelihood against Impact.  For more complex environments, you may want to have a more fine-grained approach.  Measuring the likelihood of the risk occurring against the impact it will have on your business will help focus your efforts on the ones that will cause most damage to you.

 



2. Don't restrict access to information, but make it securely available.

 

Information security, for me, has been about making the correct infotmation available to authenticated and authorised people.  Too often information security is seen as a barrier to getting on with business.  With the introduction of security technologies such as IPV6's point to point encryption; Trusted Platform Modules in end-point devices; and authentication from user, device and servers we can provide access to information where and when it is needed to those with justified access.  With the rapid expension of the use of cloud platforms, it is more important today than ever that we have the right protection in place to give users and businesses the confidence and trust to take advantage of the benefits these solutions provide.

 

3. Ensure you have the right approach to information security risk assessment and risk exposure for your business.

 

Every business is unique and requires an approach that reflects the corporate attitude to the risks facing it.  As in life, risks can change with time. For example, pension plans often take a higher tolerance to risk during their early days in order to maximise the opportunity for profit, but towards maturity, the pension fund investments move to safer options, such as bonds and cash balances to protect the assets’ value.  

HP Security Discovery Workshops can assist in ensuring you are applying the right approach to your particular risks and help discover how the latest developments in cloud, BYOD and mobile data management can be used to develop the solution that’s right for you.

 


4. Go back to basics to successfully evaluate the security risks.

 

Getting back to basics will help you keep you risk assessment real.  A pure mathematical approach may demonstrate that a particular mechanism will reduce your risk level to what appears to be acceptable.  However, the introduction of likelihood we used above can give a more realistic view.  An example I saw in the real world was where a pure mathematical approach demonstrated that sending information by CD in the post was preferable to sending it as a file over an internet connection.  Both used strong encryption and chain of custody; however, the CD method had a higher likelihood of being lost in transit (possibly leading to an article appearing in a newspaper over data loss) than the file being lost or intercepted across a secured internet connection.




5. Analyzing risk is the road to developing your information security management strategy

 

Once we have assessed the risks, how do we know the best way of handling those risks?

There are 4 basic options to handling risk:

 

  1. Accept
  2. Mitigate
  3. Transfer
  4. Avoid 

We accept risks when the cost of handling it outweighs the costs of the risk being realised and we wish to proceed despite the risk—as the rewards in doing so are worthwhile.  If the costs of mitigation or transference are such that it is still practical to proceed, then we will spend enough to reduce the risk to an acceptable level.  If none of these options are appropriate, then we could choose to avoid the risk by not proceeding or changing direction.

HP Security Analytics provide a great way to model your risks and the mechanisms available to handle them.  By analysing the effects of spend in one area, it can demonstrate the effects on your overall security posture.  For example, it can show whether it would be more effective to spend money improving patching, or upgrading your anti-virus products for your business.  It follows the process of modelling—experiment with “what if” scenarios to provide a detailed analysis of the most cost effective solution for you.

 

brians_large.jpg

 

See HP Security Analytics for more information on how to make better decisions when creating a more secure environment for your business.

 


6. Ensure that you are compliant with your legal, regulatory and business requirements.

 

There are so many standards, regulations and legal requirements placed on businesses that it is difficult to keep track of the changes.  They all aim at protecting your customers, the market place that you operate in, and often provide protection to the future viability of your business by creating a level playing field.  It only makes economic sense to invest in security if your competition is doing likewise.  The 3-step approach I like to take to this challenge is:

  1. Ascertain which requirements apply to the business.
  2. Assess the commonality between the different requirements.
  3. Create a system that assesses each requirement only once. 

Automating the collection of this evidence can allow for continuous compliance—reducing the burden of responding to audit requests, as these can be performed as and when required.  HP Server Automation software can provide an integrated solution to automating server operations and demonstrating compliance.

 

These 6 steps, when followed in a conscientious manner, will help you to mitigate risk in your business, as part of a holistic approach to risk, HP’s Security Intelligence and Risk Management Services can help you:

  • Assess risk, plan secure applications and implement security practices
  • Improve security, reduce risk and comply with regulatory requirements
  • Reduced operating costs, identify vulnerabilities and resolve issues rapidly



 

monitoring and measuring information security

Security Intelligence and Risk Management Services

 

HP Server Automation

 

HP Security Analytics

 

HP Security Discovery Workshops



PMVista's Risk Management Guide

 

Cloud platforms

Tags: Analytics| Cloud| IT security| security
Comments
Nadhan | ‎03-01-2012 07:13 PM
Options

Hello the_integrator, Great Post!.  We cannot afford to take this lightly.  Here is my take on some parallels to scenarios where security is compromised.  http://bit.ly/wAkS2g

0
TSchreider | ‎09-28-2012 04:06 PM
Options

The NIST 9-box chart that you have presented above is a time honored approach to projecting risk. More detailed information can be found in NIST SP 800-30 - Risk Management Guide for Information Technology Systems or the Risk Management Framework (RMF) located at http://csrc.nist.gov/groups/SMA/fisma/framework.html.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.
Follow Us