• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • 2
    CommentGo Back
Download
 
Module I
 Kefa Rabah 
IT Risk Management Plan –
The Way Forward 
 
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 2 OF 50
 
Bright Future
 
2 
Module I
 Risk Management Plan A Case Study
Serengeti 
Group
IT Security Project Solution
 
www.serengetisys.com 
Bedrock City University (BCU)Secure Network Infrastructure Project
Developing IT Security Risk Management Plan
The Way Forward 
 Document History:
Date Version # Author(s) Description of Changes
Feb 02, 2008 BCU-RMP-001 BCU-ISESC,
SISC
 Final Issue
A Global Open Versity Reading Room Academic Technical Publication
Permissions: A GOV Open Knowledge Academic Access LicenseLearn more, visit:
www.serengetisys.com www.globalopenversity.org 
 Kefa Rabah 
 
Module I
 Kefa Rabah 
IT Risk Management Plan –
The Way Forward 
 
CIS300 - IT Risk Mgmt & Compliance Strategies PAGE 3 OF 50
 
Bright Future
 
3
Module IDeveloping IT Security Risk Management Plan
Abstract
As attacks on enterprise grow more sophisticated and diverse; companies need to rethink their network defense and entire enterprise risk management strategies. Security for that matter is not only about protecting the network, but also the data. That requires a combination of tactics, from securing thenetwork perimeter to encrypting data on mobile and storage devices. Today, many enterprises look atnetwork as taking a layered approach. As security become more complex, businesses increasingly see aneed for enterprise security strategies, as well as ways to collate information from the various tools andevaluate their performance. And they are grappling with new issues created by growing mobility andanywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more andmore on getting end-to-end visibility. However, more importantly – the road to an enterprise securitystrategy and risk management starts with consulting stakeholders to determine what level of risk isacceptable. Then you can formulate a policy that lays out the controls that will achieve the goals viaimplementing – a solid IT security risk management plan – geared towards organizations’ IT securityobjectives driven by business requirements for improved performance.
1.0 INTRODUCTION
Risk management is a much talked about, but little understood area of the IT Security industry. While risk management has been practiced by other industries for hundreds of years, little historical data exists tosupport qualitative analysis in the IT environment.The industry approach to-date has been to buy technology without really understanding the potentialunderlying risks. To further complicate matters, new government regulations create additional pressure toensure sensitive data is protected from compromise and disclosure. Processes need to be developed thatnot only identify the sensitive data, but also identify the level of risk posed due to noncompliance of corporate security policies. Serengeti Information Security Consulting (SISC) at Bedrock City hasdeveloped security procedures based on industry standards that evaluate and mitigate areas deemed notcompliant to internal security policies and standards. Through the use of quantitative analysis, AISC isable to determine areas that present the greatest risk, which allows for identification and prioritization of security investments.
1.1 OVERVIEW OF RISK MANAGEMENT IN IT SECURITY FIELD
 The fundamental precept of information security is to support the mission of the organization. Allorganizations are exposed to uncertainties, some of which impact the organization in a negative or positivemanner. In order to support the organization, IT security professionals must be able to help their organizations’ management understand and manage these uncertainties.Managing uncertainties is not an easy task. Limited resources and an ever-changing landscape of threatsand vulnerabilities make completely mitigating all risks impossible. Therefore, IT security professionals must have a toolset to assist them in sharing a commonly understood view with IT and business managers concerning the potential impact of various IT security related threats to the mission.This toolset needs to be consistent, repeatable, cost-effective and reduce risks to a reasonable level.However, due to the complex nature of the network infrastructure and its integrated information system, it
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...

uploaded a new revision for this document (#5)

12 / 25 / 2009

uploaded a new revision for this document (#4)

12 / 25 / 2009
You must be to leave a comment.
Submit
Characters: ...