DIGITAL SECURITY AND INFORMATION ASSURANCE


This blog is created to stimulate academic discussion in partial fulfillment of the degree of Doctorate of Computer Science in DIGITAL SECURITY AND INFORMATION ASSURANCE for the Colorado Technical University, Colorado Springs, Colorado.

Courses includes - EM835 Information Accountability and Web Privacy Strategies; SC862 Digital Security; Quantitative Analysis; Software Architecture and Design - CS854;















Monday, September 3, 2012

Risk Management a must for Security

Risk management in information security program is one of the yardsticks of due diligence and care that formed the cornerstone of information security governance. One of the ways to incorporate risk management and assessment in the security program is to establish a security policy and procedure in the organization. The security policy will form the basis of risk management policy that will be tailored to address the following 

* Uncovering potential dangers in the environment

* Researching and understanding the vulnerabilities, threats and risks that is
peculiar to the environment

* Performing periodic security assessments

* It is absolutely essential to perform analysis of assessment data. This can be used to establish a security baseline with necessary security controls to adequately safeguard information assets.

We need to know where we are going and where we are coming from in term of security for the security program to succeed in any organization. The benefits of risk analysis are immeasurable because it helps to us to understand what exactly is at risk in the environment; to conform to due care and comply with legal and regulatory requirements (Harris, 2010). 

By performing risk analysis, we are in better position to know what security controls, countermeasures and safeguards to implement in order to re-enforce the environment security posture in view of known vulnerabilities and risks. For instance, the risk assessment could mean the patch management and anti-malware deployments should be more visible. According to Harris (2010), a risk analysis helps integrate the security program objectives with the company’s business objectives and requirements.

I will confront emerging threats by making sure that adequate security controls both technical and administrative are in place and also by fine tuning continuous education of users of the importance of information security as they perform their daily tasks. Security monitoring and awareness training will also be heightened to address all forms of social engineering and non- compliance with security policy and procedures. Without implementing adequate protection measures, enterprises are at risk of having their operations critically disrupted (Murphy & Zwieback, 2005). No amount of IDS, IPS and firewalls can offer the necessary protection if the users who are in the first line of defense fails to imbibe simple security rules.
The risk assessment will include a detail threat and vulnerability analysis, a thorough examination of countermeasure mechanisms as well as assets identification. Without these components the purpose of the risk assessment is defeated and the whole risk management program might be in jeopardy. 

References:

Harris, S. (2010, 5th Edition). CISSP all in one exam guide. Columbus, Ohio: McGraw Hill.

Murphy, J. & Zwieback, D. (2005). Managing emerging security threats. Retrieved April 24, 2012, from http://www.greetsomeone.com/pdf/inkcom_managing_security_threats.pdf
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)