The importance of risk related concepts
It is very important that one possess some knowledge on the various risk related concepts ranging from the control types, risk avoidance and risk handling techniques since they play a very important role in our security policies. They help one avoid the risks. Hence, one can ensure that the quality standards are being met and the instruments used would not be doing any harm in the future. These are concepts that should be integrated into security systems.
The National Institute of Standards and Technology is a federal organization in the United States that is responsible for coming up with standards for use not only by the federal government but also nationally and worldwide.
Under the NIST Special Publication 800-53, there are several classes of control types that are clearly outlined. All the three classes work together and one cannot just look at a single class. There are also some special types of families that each class is associated with.
Technical: The technical control types are the first categorized in the NIST Special Publication. This can be viewed as access control, authentication of the different resources on one's computer or network, how one control one's communication among many other technical aspects are contained in this class.
Management: The management class is the one that talks about how one manage some of the different aspects of risk in one's environment such as security assessment and authorization, planning, risk assessment and service acquisition which are important aspects of security. Basically, security is not only based on proper firewall configurations but also proper management.
Operational: This is a class that is mainly concerned with the operations and activities one do to maintain security in one's environment such as what one do when an incidence occurs, how one handle changes in configurations in one's network so that one do not create security issues related to changes, how one protect things physically among some other aspects.
Working in the field of security for quite a long time could see one come across the false positives concept. This basically refers to something that is reported to one but is not really the case. For instance, one's security systems may report a virus attack on one's server but when one take a look, one may find that there is no such attack. This is a kind of phenomenon that is mostly witnessed in intrusion detection systems which are signature detection systems and occasionally, they can see something that goes through the signature but is not related to an attack. In case of such an incidence, make sure one double-checks so as to determine what the IDS and IPS is telling one so that one is able to link it back to a threat.
False positives in addition to being wrong warnings, they can also cause problems with one's operating system. In case of such a message, one might consider uploading the file in on set anti-virus engines where one can run one's file to check for any viruses in it. This is a good way to have a strong affirmation that the false positive message one are receiving is not accurate.
Importance of policies in reducing risk
In every working setup, the availability of policies is very important since in some cases, the strength of one's security is almost similar to that of one's policies. It is therefore important that people and employees are made aware of these policies all the time since they allow one to do all one's jobs. It is outright that one's security roles begin and end at these policies. The better are the policies, the better would be one's security. One cannot create policies all at once, but this is an activity that keeps going on and on with the documentation of new policies.
There should also be policies outlining the kind of privacy the employees should expect.
Acceptable use: The acceptable use policy is one that gives regulations on how employees and people in an organization use its assets such as computers, mobile phones, telephones and even the internet. With this policy, an individual handling a company's assets in the wrong way can be easily prosecuted.
Security policy: Security policies tend to cover a very wide area in the security perspective. First is the physical aspect of security. There should be policies outlining what should be done to doors without locks, how visitors in a company should be handled and how employees who come without badges should be handled. Another aspect is technical security. There should be policies outlining what should be done in case a computer gets a virus attack. These are policies that all people must be aware of so as to be in a position to handle such cases when they arise.
Mandatory vacations: In a business perspective, there are some policies that must be enforced such as mandatory vacations. One should not wait to be told to go on vacation. With such vacations, it is easy to identify some misconducts going on in the organization.
Job rotation: A job rotation policy is also very important so as to make sure that activities in an organization or company run continuously even when one individual is absent. Through such rotations, people are not able to commit frauds since a new person brought into the same position can identify them. Through this policy, people are rotated around many responsibilities and thus no one maintains full job control for extensive periods of time.
Separation of duties: Separation of duties is also very important in an organization. One aspect in this case is split knowledge. This is where one ensures that no one person knows every bit of information. There is also the dual control which calls for the presence of two people so that it can work. In this case, one's business can make it mandatory that finances can only be withdrawn from a bank if two specific people are present.
Least privilege: The least privilege is also another set of business policy. This is a concept which means that one only have the rights to access information that is necessary for one's task. For instance, if one is accessing information on a server, one's rights can be set to only read and not write.
Risk calculation is a kind of activity that is normally carried out so as to determine the amount of cost incurred after the occurrence of a security breach. This does not specifically look at the amount of money lost or damage incurred but also the money incurred in resolution of the security issue.
Likelihood: Likelihood is one way through which a risk can be calculated. It can also be referred to as the Annualized Rate of Occurrence. In this case, one looks at how often the incidence occurs probably in a time span of one year. This is in some way a form of guessing.
ALE: The Annual Loss Expectancy is used to calculate the amount of loss incurred in a year. In this case, one takes the Annualized Rate of Occurrence and multiplies by the Single Loss Expectancy. With the value of the expected loss in a year, one can easily plan and start budgeting for the following year.
Impact: In the impact case, the monetary value lost is not what is solely considered. In this case, we consider other impacts such as if a stolen laptop contains important company information, then that can be a huge blow to privacy.
SLE: The Single Loss Expectancy helps one determine the amount of monetary loss one will incur in the event of such an incidence. For instance, if a laptop is stolen, one can estimate the amount lost.
ARO: The Annualized Rate of Occurrence is a risk calculation method that involves determining the number of times an incidence occurs for instance, the number of times a laptop is stolen in a year. This does not rely on facts but guessing.
Quantitative vs. qualitative
The quantitative and qualitative calculation methods are quite different. The quantitative method seeks to establish the amount of money that will be lost but qualitative also gives the value of information one may lose.
Vulnerabilities basically refer to the levels or extent to which one is prone to a risk. Depending on one's security policies, the vulnerability levels may be different for various organizations.
Threat vectors outline the extent of damage or loss that may be incurred in the occurrence of a risk.
Probability / threat likelihood
Probability and threat likelihood is a risk calculation technique that is normally based on the frequency of occurrence of a risk. With such information, one can determine the probability of a risk happening at a specific time period.
Risk-avoidance, transference, acceptance, mitigation, deterrence
In our daily setting, a risk is something that we cannot avoid whether we are at work, at home or along the streets. With respect to this, it therefore becomes a very big challenge when one has to deal with a risk.
One way that one can deal with it is through risk avoidance. This involves making proper decisions and deciding not to engage in activities that expose one to a lot of risks. For instance in institutions, students may be at a high risk of accessing some illegal material from the internet and hence the institution can block some of the sites.
Another way one can deal with a risk is by transferring it to another person, this known as transference. In this case, one can insure a certain risk with an insurance company.
Acceptance is also another way of dealing with a risk. This is where one decides to live with the risk and deal with it all by one's self.
Mitigation can also be a way of handling one's risks. This is where one comes up with strategies to decrease the occurrence of a risk. For instance in a data centre, one can invest in security systems that will provide good security.
Ultimately, deterrence can also be a way of dealing with a risk. For instance, one can security fences and dogs do deter unauthorized people from accessing a particular premises or area.
Risks associated with Cloud Computing and Virtualization
Cloud computing is an emerging technology where we are able to encrypt information and resources in mobile locations or in the cloud. However, there are some risks associated with it. One of the risks is that the data on the cloud may be available to other people. With cloud computing devices under the control of third parties, one's information might be accessed by such people. For security, one can encrypt one's data before putting it in the cloud.
Another risk is that security of this data is managed by other people and hence it may not meet one's requirements. In addition, cloud computing involves storing of data in servers we have no control of and therefore in case of a power loss, one might not access one's information.
Virtualization is also another growing technology that involves having a large computer in which one can build many virtual systems. One risk associated with this is that if the virtualization layer is accessed by cyber-criminals, the whole system is at risk too.
Another risk associated with virtualization is that there is limited control over what happens between virtual systems. There is also a risk associated with securing all the virtual systems in the server since each separate system requires a separate security profile and hence this process of security can be quite tiring.
It is very important that we are conversant with all the risk related concepts since with their conversance, one can not only handle risks easily but also plan adequately for their occurrence and take all the necessary precautions so as to avoid damage or loss. By Knowing about the risks can ensure the stability and the safety of the workplace very well. This way, one can have the work done in a safe and nice environment.