The risks associated with each function and asset then need to be individually evaluated to determine how each can best be mitigated. Managers must make decisions of avoidance, rejection, acceptance or transfer of risk to modify the baseline, before any security implementation strategies are started. And, while there are a number of ways to evaluate risk including avoidance, rejection, acceptance and transference, it is nearly impossible to avoid risk.
Avoidance requires the elimination of risk by ceasing or never undertaking an activity that produces exposure to risk. In making this decision, a company must weigh the potential value of an asset against the reality of not having it. If the risk is high and can not be mitigated (reduced), the asset may have a negative value and should be avoided. But, avoidance decisions need to fit the business model as well. If a specific function is required for a business application, it can not be avoided, therefore, the company must find a way to reduce risk without disabling the service.
Risk rejection is a decision that the mitigation cost outweighs the cost of potential loss. For example, building a custom application to eliminate 100 percent of spam would be costly, and while the risk of being spammed is high, the loss of productivity due to spam is minimal.
The decision of risk acceptance (the most common) requires an organization to mitigate the risk through implementing a solution and lastly, transferring risk is the act of moving the responsibility to a third party (such as an insurance company).
The BRA benchmarking exercise helps managers define security priorities and a framework for financial planning. Comparing your list to industry research and stats can also help determine priorities. For example, the latest Symantec Internet Security Threat Report stated that attacks on privacy and confidentiality were the fastest growing information security threats over the last six months, showing 519% growth in volume based on the type of threats found in the top ten malicious code submissions to Symantec Security Response.
Once the benchmark evaluation is complete, companies can use long term, short term and day-to-day strategies to mitigate the accepted business and information security risks. In many cases a combination of strategies makes sense, and its important to apply these strategies to more than just technology. People, processes and products may all have to change to mitigate risk.
Effectively mitigating the impact of viruses, worms, and other malicious code is a good example of using a combination of strategies. The following take into account that the business impact of a successful virus, worm, or other malicious code attack could have dire consequences on the company in terms of customer loyalty, revenue generation and more. The possibility of attack is high based on the benchmark, the cost of mitigation is acceptable, and thus the risk must be mitigated.
According to a recent survey on IT security and the workforce by CompTIA, only a slight majority of organizations (51%) have a written IT policy in place and even more surprising, IT organizations are the least likely industry sector to have a security policy in place.
When considering strategies, take into account outside trigger points and how they will impact whether a mitigation strategy is categorized as long, short or day-to-day. For example, at one time, machine patching could easily have been a short-term strategy. However, the Web-based availability of instructions on how to exploit known vulnerabilities has shortened the time between the patch availability and the worm or virus from months, down to days. So, patching now must be a day-to-day activity.
One of the easiest ways to mitigate risk is also one of the most forgotten -- access control. This component of risk mitigation spans all three strategies and can significantly reduce the effectiveness of security attacks. Many vulnerabilities, such as RPC DCOM (vulnerability exploited by MSBlaster), rely on access to critical machine files to be effective.
So, creating access control policies that govern access to specific machine files can greatly reduce the effectiveness of the vulnerabilities. Regular assessments of the access controls and policy (another long-term strategy) also provide a mechanism for better security management.
Its important to acknowledge that risk can never be mitigated 100%, no matter how much planning goes into a company's BRA, or how many strategies result from the process. Unknown factors can always change the game but once an asset, threat or risk is known, assessment and mitigation can begin.
Managing the information security through risk assessment and mitigation is an ongoing function. Risk is not a problem that can be solved, but it is a problem that can be managed, limiting potential, permanent damage.
Tom Parker is managing consultant at Shavlik Technologies, a security products and services firm headquartered in St. Paul, Minn. The company helps information technology managers and administrators manage computer systems security, including assessment, security scanning and remediation of security vulnerabilities due to missing patches, weak accounts and passwords.