Risk is a natural part of life. Everything we do has some sort of risk involved, although the level of risk determines whether it is a good idea to continue with the original plan or to change to meet a more acceptable level of risk. This is what we call risk appetite, the urge to take on certain levels of risk.
So why would an organization need to have a risk appetite? Well, short answer is it determines the path the organization is going to take. The level of risk determines how the stable the organization is viewed and how likely it will succeed in it's overall goals.
Most business professionals tend to keep risk levels as low as possible to reduce the amount of possible outcomes based off the unknown. Risk mitigation and risk avoidance are used to keep these levels within reason. Once the risk is identified the organization then allows management to decide what is to be done with this risk. Is the risk acceptable as is? If not, what level of risk is the organization willing to accept? These are a few of the questions management looks at to determine what their appetite is.
Overall, the risk appetite of an organization must really be determined by the management to ensure it is in line with the goals of the organization. To much risk can hurt the organization and too little does not allow the organization to grow and flourish.
To learn more, read the following:
Time for a Change in our Attitude Around Risk. Retrieved from http://www.infosecisland.com/blogview/19981-Time-for-a-Change-in-our-Attitude-Around-Risk.html
What is Risk Appetite? Retrieved from http://jitenderarora.co.uk/what-is-risk-appetite/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-risk-appetite
A CISOs Guide on Cybersecurity
Modern CISO Network: Board Book
Sunday, October 27, 2013
Sunday, October 20, 2013
Vulnerability assessments: A need for all organizations
After a business reaches a certain size and becomes large enough to have a sustainable IT department, it has to consider what are the weaknesses in the organizations technology? It also has to determine how do we counteract or mitigate these vulnerabilities? And of course, how do we rank these concerns , based on certain criteria, to protect the organization?
I state all of these questions, but why would an organization care? It is essential for the organization to identify the vulnerabilities, determine what is their greatest risk and then implement a process to eliminate or mitigate this risk. Threat vulnerability assessments allow the organization to do just that. An organization or business do not have unlimited resources , so this helps to prioritize what portion of the budget is going to be spent on the IT department to increase or keep a certain level of security. Also, it is important that your vulnerability assessments are conducted correctly, as an error could result in the very problems that you are trying to avoid.
To ensure that vulnerability assessments are effective to the organization ensure you set a proper schedule your vulnerability assessment, conduct testing on your network before implementing any changes, and ensure you have a disaster recovery plan. There are more ways to ensure that your vulnerability assessment is effective but this will help you get started on how to focus your efforts.
Keep in mind now, while vulnerability assessments are beneficial, if done incorrectly they can consume a lot of resources and time with little to no results that are of any benefit to the organization. The best method, I can suggest is to define the requirement, identify the risks, and develop a plan that is not only cost effective but effective at securing the organization's IT network.
To learn more, read the following:
Three Tips for Effective Vulnerability Assessments. Retrieved from http://www.infosecisland.com/blogview/22744-Three-Tips-for-Effective-Vulnerability-Assessments.html
Penetration Tests Are Not Vulnerability Assessments. Retrieved from http://blog.tevora.com/info/penetration-tests-are-not-vulnerability-assessments/
The Perils Of Automation In Vulnerability Assessment. Retrieved from
http://www.infosecisland.com/blogview/21723-The-Perils-Of-Automation-In-Vulnerability-Assessment.html
I state all of these questions, but why would an organization care? It is essential for the organization to identify the vulnerabilities, determine what is their greatest risk and then implement a process to eliminate or mitigate this risk. Threat vulnerability assessments allow the organization to do just that. An organization or business do not have unlimited resources , so this helps to prioritize what portion of the budget is going to be spent on the IT department to increase or keep a certain level of security. Also, it is important that your vulnerability assessments are conducted correctly, as an error could result in the very problems that you are trying to avoid.
To ensure that vulnerability assessments are effective to the organization ensure you set a proper schedule your vulnerability assessment, conduct testing on your network before implementing any changes, and ensure you have a disaster recovery plan. There are more ways to ensure that your vulnerability assessment is effective but this will help you get started on how to focus your efforts.
Keep in mind now, while vulnerability assessments are beneficial, if done incorrectly they can consume a lot of resources and time with little to no results that are of any benefit to the organization. The best method, I can suggest is to define the requirement, identify the risks, and develop a plan that is not only cost effective but effective at securing the organization's IT network.
To learn more, read the following:
Three Tips for Effective Vulnerability Assessments. Retrieved from http://www.infosecisland.com/blogview/22744-Three-Tips-for-Effective-Vulnerability-Assessments.html
Penetration Tests Are Not Vulnerability Assessments. Retrieved from http://blog.tevora.com/info/penetration-tests-are-not-vulnerability-assessments/
The Perils Of Automation In Vulnerability Assessment. Retrieved from
http://www.infosecisland.com/blogview/21723-The-Perils-Of-Automation-In-Vulnerability-Assessment.html
Sunday, October 13, 2013
RIsk Management Practice
All organizations need some sort of risk management process to identify the risks and hazards in the workplace. In the cyber realm, the risk management process helps to identify the vulnerabilities and shortcomings so that IT personnel can develop measures that help protect the organization.
So what does this mean for the everyday organization or business? It means that this process is a necessary one and a without a risk management process or an emphasis on it, your business is at risk for an attack or intrusion on the data within the organization.
So the bottom line is that a risk management process should be identified early on in the strategic goals to allow for the implementation of this process without accepting risk in other areas. The process should be simple in nature to allow for easy implementation. Remember risk management is a balancing act between the risk and the overall opportunity. You have to be able to determine if we can accept that risk and that gives us the opportunity and ability to exploit that situation.
In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers.
If you would like to learn more, read the following:
http://www.infosecisland.com/blogview/22624-Fifteen-Tips-to-Improve-Your-Infosec-Risk-Management-Practice.html
https://securosis.com/research/threat-intelligence-for-ecosystem-risk-management
http://www.infosecisland.com/blogview/18897-Risk-Management--More-Than-Just-Risk-Assessment.html
So what does this mean for the everyday organization or business? It means that this process is a necessary one and a without a risk management process or an emphasis on it, your business is at risk for an attack or intrusion on the data within the organization.
So the bottom line is that a risk management process should be identified early on in the strategic goals to allow for the implementation of this process without accepting risk in other areas. The process should be simple in nature to allow for easy implementation. Remember risk management is a balancing act between the risk and the overall opportunity. You have to be able to determine if we can accept that risk and that gives us the opportunity and ability to exploit that situation.
In order for a security-based risk management strategy to be successful, it is clear that we need to better align our security efforts with the goals of the business. That partnership with our business counterparts is crucial to the success and advancement of our careers.
If you would like to learn more, read the following:
http://www.infosecisland.com/blogview/22624-Fifteen-Tips-to-Improve-Your-Infosec-Risk-Management-Practice.html
https://securosis.com/research/threat-intelligence-for-ecosystem-risk-management
http://www.infosecisland.com/blogview/18897-Risk-Management--More-Than-Just-Risk-Assessment.html
Sunday, October 6, 2013
Security Education, Training, and Awareness: Is it Useful?
As with every profession in life there is some sort of training requirement to keep you at the so called"tip of the spear" in your field. Information Security is no different. There are annual training requirements, seminars, and courses designed to keep the INFOSEC personnel up to date on the current and emerging threats. This seems pretty simple, your field requires some sort of training to stay current but the reality is that some in the field believe that this training is a waste of time. That training is not effective at helping employees prevent mishaps in information security or that it takes away from the IT professionals job responsibility. Well, personally I think that all of these reasons are invalid and a lot of training needs to be done by everyone who uses technology in the workplace.
Think about it. How can you expect to enforce information security policies and principles without some sort of training or familiarization for your organization. Remember, we work the systems, we operate the computers, and we have the breaches in data. People must be taught to secure information within their organization, it is not a natural response that we are born with. Also training must be relevant to the organization your in. You do not need to be trained on everything, that is what IT is for. You need to be educated on your part within the organization.
So, what does this mean? That humans are the weakest link in information security and privacy. Computers and technology will not divulge any information it is not made to or given a command to. The technology does not leave itself to where unauthorized people can access or view it, we do. So, when it is said that an organization does not need security awareness training then that organization must like potentially dangerous situations or potential lawsuits from loss of private information. It is not good business to ignore an essential task such as protecting information from unauthorized disclosure.
To learn more, read the following:
http://blog.noticebored.com/2012/05/this-years-uk-information-security.html
http://www.infosecisland.com/blogview/22152-Not-Providing-Education-is-the-Dumbest-Idea-for-Infosec.html
https://securosis.com/blog/security-awareness-training-evolution-why-bother-training-users
Think about it. How can you expect to enforce information security policies and principles without some sort of training or familiarization for your organization. Remember, we work the systems, we operate the computers, and we have the breaches in data. People must be taught to secure information within their organization, it is not a natural response that we are born with. Also training must be relevant to the organization your in. You do not need to be trained on everything, that is what IT is for. You need to be educated on your part within the organization.
So, what does this mean? That humans are the weakest link in information security and privacy. Computers and technology will not divulge any information it is not made to or given a command to. The technology does not leave itself to where unauthorized people can access or view it, we do. So, when it is said that an organization does not need security awareness training then that organization must like potentially dangerous situations or potential lawsuits from loss of private information. It is not good business to ignore an essential task such as protecting information from unauthorized disclosure.
To learn more, read the following:
http://blog.noticebored.com/2012/05/this-years-uk-information-security.html
http://www.infosecisland.com/blogview/22152-Not-Providing-Education-is-the-Dumbest-Idea-for-Infosec.html
https://securosis.com/blog/security-awareness-training-evolution-why-bother-training-users
Subscribe to:
Comments (Atom)