ARGSYSTEMS LLC. can help your organization design and implement a solid processes-based risk management program incorporating risk assessment, risk mitigation and the follow-up evaluation and assessment phases.
A risk assessment phase that incorporates process for identifying and evaluating risks, their impacts and the series of recommendations that are likely to effectively reduce the identified risks. recognizing that risk for IT systems will only appear by the interacting of a threat upon a vulnerability. Under that premise various steps can lead to a correct assessment of the risk, including:
-system characterization (hardware and software description, mission use and processes to the organization, management implementation of security procedures around the systems, data flow, physical security etc..)
-identifying of threats (hackers/crackers, terrorists, computer criminals, spies, insiders, etc..)
-vulnerability identification (flaws, misconfiguration of systems, poor access control enforcement, environmental hazards..etc)
-system security testing including the employment of automated vulnerabilities scanning tools, the practice of penetration testing
-analysis of controls that can adequately reduce the likelihood of a threat interacting onto a vulnerability
-the impact analysis documenting the consequences of an IT asset being compromised
-the criticality (or sensitivity) of systems and information assets supporting the organization
Attempting to quantify IT risk to an organization
determining risks level can be a decisive tool permitting to prioritize the assignment of effort and resources needed to mitigate risk for the organization. Although various methods exist, a simple approach is a using a Risk Matrix assigning numerical scales to a threat likelihood and the combined impact. Whereas qualitative approach adopt the low, medium, high ranking, a matrix-based quantitative method would assign coefficients to each parameter.
Determining a risk mitigation solutions
Implementing risk reducing measures will be dictated by cost considerations, in order to employ the less costly method that can have the most beneficial effect on risk reduction. Options range from eliminating risk , transferring risk, avoiding risk etc..
Implementing new controls
Controls are generally divided into technical and operational. And further differentiated according their preventive character or detective character.
Preventive technical security controls :identification (mandatory access control, discretionary access control,
accountability), cryptographic key management , security administration (IT system security features configuration), system protection,authentication, authorization, access control enforcement,backup capability (regular data & system backups, archive logs that save all database
Detective technical controls:audit, intrusion detection and containment, system integrity tools, restore secure state, virus detection and removal
Preventive operational controls:physical access control, safeguard computing facility,secure wiring closets,
establish off-sites storage procedures & security,protect laptops, PCs & workstations,requirements & procedures for the use of fire extinguishers, tarpaulins, dry sprinkler systems, halon fire suppression systems,provide emergency power source (ups, on-site power generators),control humidity & temperature of the computing facility (air conditioner, heat dispersal)
