Previous issues:
Part 1 of 8 - Introducting Security Policies
Part 2 of 8 - Critical Success Factors
Part 3 of 8 - Policy Development
PART 4 - RISK ASSESSMENT FOR SECURITY POLICIES
In this installment of "What you need to know about security policies", we cover the following concepts on conducting a risk analysis (RA) for policy development, including the reasons for RA, and Risk assessment and analysis methods.
Reasons for Risk Analysis
Essentially, Risk Analysis it is the process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it. The risk management approach to Information Security involves identifying, assessing, and appropriately mitigating vulnerabilities and threats that can adversely impact the information assets of the organization.
For a in-depth look at risk analysis, refer to my previous posts on "Fundamental Risk Management Concepts".
Apart from the mere identification of risks, there are several significant reasons risk analysis and assessments to be part of your security policy development effort:
- The prioritization of risks.
Ensure that important matters are addressed, for budgeting and action plans. - Identify management processes that are lacking or broken.
- To set or reference a baseline.
Has security improved over time, or does it need more resources? - To confront overly optimistic managers with reality.
- To gather information for security control enhancements to be justified.
- Show compliance against regulations and laws and contracts.
Generate due diligence evidence to protect against lawsuits.
Indirectly sell information security to senior management.
The appropriate and cost-effective mitigation of risk requires that an organization address security objectives and costs in tandem with business and operational goals.
Blindly applying technology to protect against every conceivable threat is not the smartest way to deal with security. A better way is to identify how much business risk each threat poses — how vulnerable are you really, if a particular threat occurs?
This way of thinking helps you minimize security implementation costs, and provides the flexibility you’ll need to help you evaluate new threats. By considering the business risks, as well as the out-of-pocket expenses and time required to fix each new vulnerability, you’ll be able to make an intelligent business decision about whether it makes sense to mitigate the threat.
Note that your exposure is proportional to how long it takes to fix the problem, multiplied by the level of risk involved. (RSA)
How does risk analysis empower policy writing?
Risk analysis establishes a reference point along spectrum of possible policies.Personal use of organization I.T. resources . (Wood, 2004)
Risk Analysis Methods
For example, one formal approach to risk analysis is:
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - http://www.cert.org/octave/
Asset Identification and Valuation
Assets While the other sections are important, the value of the security policy is ultimately related to the assets it is protecting. As a result, a company must perform an in-depth audit of their resources to determine what constitutes as an asset and more importantly, the value of that asset.
Risk Management and policy development
- Identifying risk priorities
- Policies and the risk treatment plan
- Mapping policies to identified risks
In the next installment, Part 5 of 8 - Policy Development Sources of this series on "What you need to know about Security Policies", I will cover "Sample Policies and Templates".
0 reacties:
Post a Comment