Risk Management Vs Risk avoidance William Gillette

Security System Development Life Cycle An Overview Investigation Investigation Teams of employees define the problem, scope and set goals/objectives and check feasibility of the project Teams of employees define the problem, scope and set goals/objectives and check feasibility of the project Analysis Analysis Looks at current security policies, threats, controls, and legal issues that could impact a new security policy/system. Risk management stage Looks at current security policies, threats, controls, and legal issues that could impact a new security policy/system. Risk management stage Design Design The logical and physical design of security system. Risk avoidance stage The logical and physical design of security system. Risk avoidance stage Implement Implement The purchase or development of security solutions. The purchase or development of security solutions. Maintenance Maintenance Security systems constantly need updating, modifying and testing Security systems constantly need updating, modifying and testing

Risk Management Defined: Defined: The process of identifying vulnerabilities in an organization’s information systems and or programs. Then taking steps to assure its confidentiality, availability, integrity, authenticity. The process of identifying vulnerabilities in an organization’s information systems and or programs. Then taking steps to assure its confidentiality, availability, integrity, authenticity.

Risk Management Step by Step analysis Step 1 Know yourself. Step 1 Know yourself. First, you must identify, examine, and understand the data/information and systems that interact on these elements. First, you must identify, examine, and understand the data/information and systems that interact on these elements. Second, once you know what you have you can now look at what is already being done to protect these assets. Second, once you know what you have you can now look at what is already being done to protect these assets. Third, Identify if these controls are being properly maintained and administrated. Third, Identify if these controls are being properly maintained and administrated.

Risk Management Step by Step analysis Step 2 know you enemy Step 2 know you enemy Now that you are informed of your organization’s assets and weaknesses you must identify, examine, understanding the treats facing your organization. Now that you are informed of your organization’s assets and weaknesses you must identify, examine, understanding the treats facing your organization. In turn you must also identify the aspects of the treats that will most directly effect you organization. In turn you must also identify the aspects of the treats that will most directly effect you organization. With your understanding of the threats you are now ready to create a list of treats prioritized by the importance of the threat and the asset. With your understanding of the threats you are now ready to create a list of treats prioritized by the importance of the threat and the asset. Remember in business, business needs come first technology (including security mainly come second) Remember in business, business needs come first technology (including security mainly come second)

Risk Management Step by Step analysis Step 3 know your community Step 3 know your community Information security community: theses people understand the threats the most and often take a leadership role when it comes addressing threats. Information security community: theses people understand the threats the most and often take a leadership role when it comes addressing threats. Users and managers communities: when properly trained this group plays a critical part in the area of early detection. Users and managers communities: when properly trained this group plays a critical part in the area of early detection. Both groups are also responsible for Both groups are also responsible for Evaluating risk controls Evaluating risk controls Determining which control option are cost effective Determining which control option are cost effective Acquiring or installing the needs for controls. Acquiring or installing the needs for controls. Overseeing that the controls remains effective. Overseeing that the controls remains effective.

Risk avoidance Defined: Defined: A risk control strategy that attempts to prevent attacks to organizational assets, through there vulnerabilities. A risk control strategy that attempts to prevent attacks to organizational assets, through there vulnerabilities. This is the most preferred risk control strategy as it seeks to avoid risk/treats entirely. This is the most preferred risk control strategy as it seeks to avoid risk/treats entirely. Avoidance is accomplish through countering treats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards. Avoidance is accomplish through countering treats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards.

Methods of risk avoidance Avoidance through application of policy. Avoidance through application of policy. Avoidance through application of training and education. Avoidance through application of training and education. Avoidance though application of technology. Avoidance though application of technology.

Avoidance through application of policy This mandates that procedure must be followed when dealing with a sensitive asset. This mandates that procedure must be followed when dealing with a sensitive asset. Example requiring random assigned password to access sensitive assets like customer databases. Example requiring random assigned password to access sensitive assets like customer databases.

Avoidance through application of training and education New policies must be communicated to employees. In addition new technology requires training. New policies must be communicated to employees. In addition new technology requires training. General security awareness issues. General security awareness issues. Awareness, education, and training are essential if employees are to exhibit safe controlled behavior. Awareness, education, and training are essential if employees are to exhibit safe controlled behavior.

Avoidance though application of technology. In the real world technological solutions are often required to assure that a risk is reduced. In the real world technological solutions are often required to assure that a risk is reduced. The use of countering measure to reduce or eliminating the exposure of a particular asset to a specific treat. The use of countering measure to reduce or eliminating the exposure of a particular asset to a specific treat. Implementing safeguards to defect attack on systems and therefore minimize the probability of a attack will be successful. Implementing safeguards to defect attack on systems and therefore minimize the probability of a attack will be successful.

Risk Management Vs Risk avoidance Risk management Risk management Identifying vulnerabilities in an organization’s information systems and or programs Identifying vulnerabilities in an organization’s information systems and or programs Risk avoidance Control strategy that attempts to prevent attacks

Bibliography Information Technology for Management Henry C. Lucas 7 th Edition Irwin McGraw-Hill Information Technology for Management Henry C. Lucas 7 th Edition Irwin McGraw-Hill Principles of Information Security Michael E. Whitman Thomson Course Technology. Principles of Information Security Michael E. Whitman Thomson Course Technology. Information Security Issues that Healthcare Management Must Understand Journal of Healthcare Information Management Vol 17 # Winter 2003 Information Security Issues that Healthcare Management Must Understand Journal of Healthcare Information Management Vol 17 # Winter 2003