Risk Management - Selecting Safeguards
Posted by Harisinh | Posted in | Posted on 2:29 AM
-
A primary function of computer security risk management is the identification of appropriate controls. In designing (or reviewing) the security of a system, it may
be obvious that some controls should be added (e.g., because they are required by law or because they are clearly costeffective).
It may also be just as obvious that other controls may be too expensive (considering both monetary and nonmonetary factors). For example, it may be immediately apparent to a manager that closing and locking the door to a particular room that contains local area network equipment is a needed control, while posting a guard at the door would be too expensive and not user-friendly.
In every assessment of risk, there will be many areas for which it will not be obvious what kind of controls are appropriate. Even considering only monetary issues, such as whether a control would cost more than the loss it is supposed to prevent, the selection of controls is not simple. However, in selecting appropriate controls, managers need to consider many factors, including: organizational policy, legislation, and regulation; safety, reliability, and quality requirements; system performance requirements; timeliness, accuracy, and completeness requirements; the life cycle costs of security measures; technical requirements; and cultural constraints.
One method of selecting safeguards uses a "what if" analysis. With this method, the effect of adding various safeguards (and, therefore, reducing vulnerabilities) is tested to see what difference each makes with regard to cost, effectiveness, and other relevant factors, such as those listed above. Trade-offs among the factors can be seen. The analysis of trade-offs also supports the acceptance of residual risk, discussed below.
This method typically involves multiple iterations of the risk analysis to see how the proposed changes affect the risk analysis result.Another method is to categorize types of safeguards and recommend implementing them for various levels of risk. For example, stronger controls would be implemented on high-risk systems than on low-risk systems. This method normally does not require multiple iterations of the risk analysis.
As with other aspects of risk management, screening can be used to concentrate on the highestrisk areas. For example once could focus on risks with very severe consequences, such as a very high dollar loss or loss of life or on the threats that are most likely to occur.
This is what all about the selecting Safeguards in Risk Management.
Enjoy.....
A primary function of computer security risk management is the identification of appropriate controls. In designing (or reviewing) the security of a system, it may
be obvious that some controls should be added (e.g., because they are required by law or because they are clearly costeffective).
It may also be just as obvious that other controls may be too expensive (considering both monetary and nonmonetary factors). For example, it may be immediately apparent to a manager that closing and locking the door to a particular room that contains local area network equipment is a needed control, while posting a guard at the door would be too expensive and not user-friendly.
In every assessment of risk, there will be many areas for which it will not be obvious what kind of controls are appropriate. Even considering only monetary issues, such as whether a control would cost more than the loss it is supposed to prevent, the selection of controls is not simple. However, in selecting appropriate controls, managers need to consider many factors, including: organizational policy, legislation, and regulation; safety, reliability, and quality requirements; system performance requirements; timeliness, accuracy, and completeness requirements; the life cycle costs of security measures; technical requirements; and cultural constraints.
One method of selecting safeguards uses a "what if" analysis. With this method, the effect of adding various safeguards (and, therefore, reducing vulnerabilities) is tested to see what difference each makes with regard to cost, effectiveness, and other relevant factors, such as those listed above. Trade-offs among the factors can be seen. The analysis of trade-offs also supports the acceptance of residual risk, discussed below.
This method typically involves multiple iterations of the risk analysis to see how the proposed changes affect the risk analysis result.Another method is to categorize types of safeguards and recommend implementing them for various levels of risk. For example, stronger controls would be implemented on high-risk systems than on low-risk systems. This method normally does not require multiple iterations of the risk analysis.
As with other aspects of risk management, screening can be used to concentrate on the highestrisk areas. For example once could focus on risks with very severe consequences, such as a very high dollar loss or loss of life or on the threats that are most likely to occur.
This is what all about the selecting Safeguards in Risk Management.
Enjoy.....
Comments (0)
Post a Comment