You are on page 1of 13

Risk Management

Vs
Risk avoidance
William Gillette

Security System Development Life


Cycle
An Overview

Investigation

Analysis

The logical and physical design of security system. Risk


avoidance stage

Implement

Looks at current security policies, threats, controls, and


legal issues that could impact a new security policy/system.
Risk management stage

Design

Teams of employees define the problem, scope and set


goals/objectives and check feasibility of the project

The purchase or development of security solutions.

Maintenance

Security systems constantly need updating, modifying and


testing

Risk Management

Defined:

The process of identifying


vulnerabilities in an organizations
information systems and or programs.
Then taking steps to assure its
confidentiality, availability, integrity,
authenticity.

Risk Management
Step by Step analysis

Step 1 Know yourself.


First, you must identify, examine, and
understand the data/information and
systems that interact on these elements.
Second, once you know what you have
you can now look at what is already
being done to protect these assets.
Third, Identify if these controls are being
properly maintained and administrated.

Risk Management
Step by Step analysis

Step 2 know you enemy

Now that you are informed of your organizations


assets and weaknesses you must identify, examine,
understanding the treats facing your organization.
In turn you must also identify the aspects of the treats
that will most directly effect you organization.
With your understanding of the threats you are now
ready to create a list of treats prioritized by the
importance of the threat and the asset.
Remember in business, business needs come first
technology (including security mainly come second)

Risk Management
Step by Step analysis

Step 3 know your community

Information security community: theses people


understand the threats the most and often take a
leadership role when it comes addressing
threats.
Users and managers communities: when
properly trained this group plays a critical part
in the area of early detection.
Both groups are also responsible for

Evaluating risk controls


Determining which control option are cost effective
Acquiring or installing the needs for controls.
Overseeing that the controls remains effective.

Risk avoidance

Defined:

A risk control strategy that attempts to prevent


attacks to organizational assets, through there
vulnerabilities.

This is the most preferred risk control


strategy as it seeks to avoid risk/treats
entirely.
Avoidance is accomplish through countering
treats, removing vulnerabilities in assets,
limiting access to assets, and adding
protective safeguards.

Methods of risk
avoidance

Avoidance through application of


policy.
Avoidance through application of
training and education.
Avoidance though application of
technology.

Avoidance through
application of policy

This mandates that procedure must


be followed when dealing with a
sensitive asset.

Example requiring random assigned


password to access sensitive assets like
customer databases.

Avoidance through
application of training and
education

New policies must be communicated


to employees. In addition new
technology requires training.
General security awareness issues.
Awareness, education, and training
are essential if employees are to
exhibit safe controlled behavior.

Avoidance though application


of technology.

In the real world technological


solutions are often required to assure
that a risk is reduced.
The use of countering measure to
reduce or eliminating the exposure of a
particular asset to a specific treat.
Implementing safeguards to defect
attack on systems and therefore
minimize the probability of a attack
will be successful.

Risk Management Vs Risk


avoidance

Risk management

Identifying vulnerabilities
in an organizations
information systems and
or programs

Risk avoidance

Control strategy
that attempts to
prevent attacks

Bibliography

Information Technology for Management


Henry C. Lucas 7th Edition Irwin McGrawHill
Principles of Information Security Michael
E. Whitman Thomson Course Technology.
Information Security Issues that Healthcare
Management Must Understand Journal of
Healthcare Information Management Vol 17
# Winter 2003

You might also like