Resources

Risk Management

The risk management process involves identifying a threat, and using a methodology to assess the probability and potential impact of the threat. Thus a payroll server probability has a higher risk rating than a workstation for a given threat. However, the standard information security approach is to patch all systems equally. By using a risk management approach and optimizing the risk reduction process to better serve business priorities, better security and efficiencies can be gained.

Two of the most common methods of risk reduction are applying security patches or applying "workarounds". Workarounds are just a small subset of effective security controls that are often overlooked. Another common approach used to manage risk is simply the retention of the risk. Unfortunately, this approach is more commonly used because the risk was overlooked or the risk was not considered solvable.

Patching is a good solution for risk reduction. If you need to patch, links to associated security sites are contained here. Sometimes alternatives controls are a better solution than patching. More regarding alternative controls can be found under Alternative Controls.

Compliance is a topic we are all aware of. For some, the controls in ISO 27002 or HIPAA are overwhelming. However, all of those compliance mechanisms are driven by risk and risk assessments. Many IT frameworks rely on a risk based approach. Following are some that you may be involved with.
  • COBIT (Control Objectives for Information and related Technology)
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission)
  • FISMA (Federal Information Security Management Act)
  • HIPAA (Health Insurance Portability and Accounting Act)
  • ISA99 (Industrial Automation and Control System Security)
  • ISO 27002 (previously ISO/IEC 17799:2005)
  • PCI DSS (Payment Card Industry Data Security Standard)
  • SOX (Sarbanes-Oxley Act of 2002)