Last week discussed Risk Management from the perspective of identifying where risk is present in an organization by cataloging assets, their vulnerabilities, and potential threats that could take advantage of these vulnerabilities. Once these risks are identified they must then be controlled. Five general categories of risk control are available including defense, transferal, mitigation, acceptance, and termination. Most often an economic feasibility study or cost-benefit analysis is conducted to review the different control options available and decide on the best course of action. However, the best economic choice might not always meet the needs of the organization and it's possible other factors may affect the decision of what controls to put in place. Once the financial considerations are reviewed it is also important to understand if the controls selected, or even the controls available, will meet the organizations risk appetite. The remaining risk after controls are applied is the residual risk and this area is where the consideration of risk appetite is measured. When performing risk analysis it is possible that there will not be specific measures available. It is possible to use expert opinion and group consensus to estimate values so that the process can move along. Future review when feedback information is available can be used to true up these estimates. There are a number of possible risk management approaches that can be applied by an organization to define it's risk management practices. Regardless of the method used, monitoring and measurement must take place periodically to ensure the effectiveness of the controls used. One question that comes up with gathering these metrics is how to best retain this information and make use of it?
Marcus Ranum wrote an article in SecurityWeek on September 19, 2014 titled True White-Knuckled Stories of Metrics in Action: The Faculty Systems that describes how a university security manager used metrics gathered to convince owners of a wide array of independent systems that existed at the university to consolidate under a centralized security configuration management control. He did this by presenting his metric information so that it was relevant to each situation being discussed. The important point in this discussion was that the metric information was stored in an unconsolidated manner so that the security manager could tailor the information for each discussion. Using this information the the security manager was able to show that the systems that were administered independent of the information technology department were twice as likely to be compromised and take twice as long to address the compromise once it was identified. Based on this a policy was put in place that stated that any independent system that was compromised would be isolated from the university network until corrections were put in place. This resulted in 75% of independent systems moving to information technology management in short order. The suggestions given for the security metric information are to keep this as fine-grained as possible, think ahead of time about the information being collected, and consider what data is available when a problem arises so that the best picture of what is occurring can be presented. As Mr. Ranum and others have pointed out, storage space is inexpensive but analysis is not. Using this method he was able to create a policy and implement a control to address the risk occurring systems running multiple configurations.
No comments:
Post a Comment