Weakness is a better teacher than strength ... - PDF Archive

More documents

Recommendations

Info

$C:\Documents and Settings\dave\Desktop\Godel, Escher, Bach ...$

-~-----------------------... 314 Chapter 9 Threat source '"'-------------------- Yes Yes System is Threat and System ......... design . toattack exist Vulnerable? -+ Exploitable?-+- vull1erapl~·......i vulnerability +No ~ No No risk No risk Figure 9-2 Risk-handling action points Source: Course Technology/Cengage Learning • When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a vulnerability being exercised. • When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. • When the attacker's potential gain is greater than the costs of attack: Apply protections to increase the attacker's cost or reduce the attacker's gain, by using technical or managerial controls. • When the potential loss is substantial: Apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss. 3 Once a control strategy has been selected and implemented, controls should be monitored and measured on an ongoing basis to determine their effectiveness and to estimate the remaining risk. Figure 9-3 shows how this cyclical process ensures that risks are controlled. At a minimum, each information asset-threat pair should have a documented control strategy that clearly identifies any residual risk that remains after the proposed strategy has been executed. This control strategy articulates which of the four fundamental risk-reducing approaches will be used and how the various approaches might be combined, and justifies the findings by referencing the feasibility studies. Some organizations document the outcome of the control strategy for each information assetthreat pair in an action plan. This action plan includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual. It may include hardware and software requirements, budget estimates, and detailed timelines.
Feasibility and Cost-Benefit Analysis 315 Identify information assets + Prepare ranked vulnerability risk worksheet t Implement control Assess control Develop control Are Ye 5 strategy and the controls plpn adequate? No t---- No Yes Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning • Feasibility and Cost-Benefit Analysis Before deciding on the strategy (avoidance, transference, mitigation, or acceptance) for a specific vulnerability, an organization must explore all readily accessible information about the economic and noneconomic consequences of the vulnerability. This exploration attempts to answer the question, "What are the actual and perceived advantages of implementing a control as opposed to the actual and perceived disadvantages of implementing the control?" While the advantages of a specific control can be identified in a number of ways, the primary means is to determine the value of the information assets that it is designed to protect. There are also many ways to identify the disadvantages associated with specific risk controls. The following sections describe some of the more commonly used techniques for making these choices. Some of these techniques use dollar-denominated expenses and savings from economic cost avoidance, while others use noneconomic feasibility criteria. Cost avoidance is the money saved by avoiding, via the implementation of a control, the financial ramifications of an incident. Cost-Benefit Analysis The criterion most commonly used when evaluating a project that implements information security controls and safeguards is economic feasibility. While any number of alternatives may solve a particular problem, some are more expensive than others. Most organizations can spend only a reasonable amount of time and money on information security, and the definition of reasonable varies from organization to organization, and even from manager to manager. Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets become compromised. Common sense dictates that an organization should not spend more to protect
Page 1 and 2: Weakness is a better teacher than s
Page 3 and 4: Risk Control Strategies 309 Control
Page 5 and 6: Risk Control Strategies 311 Plan In
Page 7: Managing Risk 313 safeguards; and (
Page 11 and 12: Feasibility and Cost-Benefit Analys
Page 19 and 20: Recommended Risk Control Practices
Page 21 and 22: Recommended Risk Control Practices
Page 23 and 24: Review Questions 329 Chapter Summar
Page 25 and 26: Exercises 331 2. How did the XYZ So

Weakness is a better teacher than strength ... - PDF Archive

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?