Risk Management

Lecture 2
Accessing risk
To retain complete control over your networks and
data, you must take a proactive approach to
security, an approach that starts with assessment to
identify and categorize your risks.
…
◻ Risk assessment can be performed using five steps:
1. Check existing security policies
2. Analyze , prioritize and categorize resources
3. Consider business concerns
4. Evaluate existing security controls
5. Leverage existing management and control
architecture
Security Policy
◻ Security policy is a document that reflects the
overall security concepts, standards, and processes
that form the foundation for every security
measures taken by an organizations.
…
◻ Security policy of an organization should cover the
following:
⬜ Physical security to protect the people, equipment,
facilities and computer assets.
⬜ User ID and rights managements to ensure only
authorized users have access to organization’s network
devices.
⬜ Network Security to protect the network devices.
⬜ System security to deploy the necessary defenses.
…
◻ Authorized security tools and testing required for
particular computer environment.
◻ Auditing procedures to periodically check
security compliance.
Benefits of security policy
◻ Communicates a common vision for security
throughout a company.
◻ Represents a single easy to use source of security
requirement.
◻ Exists as a flexible document that should be
updated at least annually to address new threats.
 SECURITY POLICY TEMPLATE-II
A security policy is the essential basis on which an effective and comprehensive security
program can be developed. This critical component is the primary way in which the agency
security plan is translated into specific, measurable, and testable goals and objectives.

The security policies developed must establish a consistent notion of what is and what is not
permitted with respect to control of access to your information resources. They must bond
with the business, technical, legal, and regulatory environment of your agency.

The following is a recommended outline of the components and characteristics of a security

policy template. A sample Acceptable Use Policy using this outline is attached for your
reference as Appendix A.

Section 1 – Introduction:
A purpose should be stated in the introduction section. This should provide the reader with a
brief description of what this policy will state and why it is needed. The security stance of
your agency should be stated here.

Section 2 – Roles and Responsibilities:

It is important that the policy detail the specific responsibilities of each identifiable user
population, including management, employees and residual parties.
 SECURITY POLICY TEMPLATE-
II
Section 3 – Policy Directives:
This section describes the specifics of the security policy. It should provide sufficient
information to guide the development and implementation of guidelines and specific
security procedures.

Section 4 – Enforcement, Auditing, Reporting:

This section states what is considered a violation and the penalties for non-compliance.
The violation of a policy usually implies an adverse action which needs to be enforced.

Section 5 – References:
This section lists all references mentioned in the policy, including agency standards,
procedures, government code, and State Administrative Manual sections.

Section 6 – Control and Maintenance:

This section states the author and owner of the policy. It also describes the conditions and
process in which the policy will be reviewed. A policy review should be performed at least
on an annual basis to ensure that the policy is current
Categories of security control
◻ These five security processes are explained in
terms of three categories of security control:
◻ Preventive controls: prevent malicious activity
from occurring.
◻ Detective controls: uncover evidence of malicious
activity.
◻ Corrective controls: fix problems that have
occurred in the environment.
Security processes
◻ Each organization must perform following security
processes for building a sound security
infrastructure.
⬜ Education
⬜ Vulnerability management
⬜ Issue management
⬜ Risk management
⬜ Incident management
Security education
◻ Security education plan is preventive control.
◻ Security education give users knowledge, how to
prevent potential security breaches by abusers.
◻ Security education defines employees
responsibilities in adhering to security guidelines.
Vulnerability Management Process

Security advisory
◻ Software bugs introduced during development produce

security exposures.
◻ To combat these exposures, most manufacturers release

additional software code called patches to fix bugs and

publish advisories that notify the IT community of
software problems.
◻ Every software consumer must have a process to

receive these security advisories and apply the

necessary patches.
Vulnerability life cycle
◻ Every software vulnerability life cycle has four
major stages:
◻ Discovery
◻ Repair
◻ Notification
◻ Deployment
Discovery
◻ Discovery stage begins when someone encounters
a software vulnerability
◻ The optimal action for someone who discover the
vulnerability is to notify the manufacturer, so it can
be fixed before they are widely exploited.
Repair
◻ The manufacturer researches the vulnerability and
develops a software patch to address the issue.
◻ When problem can not be fixed using software
patch, the manufacturer may recommend
configuration changes within the software that may
fix the problem. This type of solution is usually
labeled a workaround.
Notification
◻ After the patch or workaround has been developed
, the manufacturer notifies the public about the
problem and releases a fix.
Deployment
◻ The deployment stage consists of deploying the
manufacturer's fix.
◻ The notification and deployment stage pose the
greatest risk to all IT environments. The entire
public know about the vulnerability, advanced
abusers have developed automated tools to exploit
the vulnerability, and fixes are in process of being
deployed
Vulnerability management process

◻ Once an organization is receiving the appropriate

advisories, formal guidelines must be established to
determine the severity of the exposures to the
environment caused by the software bugs, the time
line to apply fixes and the group responsible for
applying the fixes. These steps make up the
vulnerability management process.
…
◻ In the context of security control security advisory
process is considered preventive, as it helps in
preventing malicious attacks .
◻ http://technet.microsoft.com/en-us/security/dn481339

◻ Microsoft Security Bulletins – Updates & News.htm

◻ Further readings
◻ Chapter No 4. Managing IT Risk : Book : Principles of
Information Security by Michael E.Whitman,