Introduction

Risk Management The risk management framework is a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. There are five risk management steps that should be in practice when considering the security and safety of your network.

The Five Risk Management Steps

  1. Identify the risk.
  2. Analyze the risk.
  3. Evaluate or rank the risk.
  4. Treat the risk.
  5. Monitor and review the risk.

We'll explain these steps in further detail.

Identify the risk. You and your security team first discover the possible risk. From there you attempt to describe the risk and project the risk's outcome.

Analyze the risk. Once identified, you calculate the consequence of the risk. You and your security team form an understanding of the nature of the risk and its potential to affect project goals and objectives.

Evaluate or rank the risk. You and your security team evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. At this point decisions are made about whether the risk is acceptable or whether it is serious enough to warrant treatment.

Treat the risk. You and your security team you assess your highest ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. Can you minimize the probability of the negative risks as well as enhancing the opportunities? You and your security team create risk mitigation strategies, preventive plans and contingency plans in this step.

Monitor and review the risk. You and your security team continue to monitor the risk. Identifying and managing a comprehensive list of project risks surprises and barriers can be reduced or eliminated.

The risk management process can also help to resolve problems when they occur. The plans to treat them have already been developed and agreed upon and thus help prevent you from going into “fire-fighting” mode to rectify problems that could have been anticipated..

Ten Immutable Laws of Security Administration

There are 10 basic security administration laws that will not change. These are:

  1. Nobody believes anything bad can happen to them, until it does.
  2. Security only works if the secure way also happens to be the easy way.
  3. If you don’t keep up with security fixes, your network won’t be yours for long.
  4. It doesn’t do much good to install security fixes on a computer that was never secured to begin with.
  5. Eternal vigilance is the price of security.
  6. There really is someone out there trying to guess your passwords.
  7. The most secure network is a well-administered one.
  8. The difficulty of defending a network is directly proportional to its complexity.
  9. Security isn’t about risk avoidance; it’s about risk management.
  10. Technology is not a panacea.

Let's explain these a bit further.

1. Nobody believes anything bad can happen to them, until it does. With SMB, this is probably the biggest stumbling block found. Granted, most SMB's are not targets, and everyone wants to believe that they are not a target, however if a bot scans your server and finds vulnerabilities, you quickly become a target.

2. Security only works if the secure way also happens to be the easy way. This is a sure way to not be secure. You can have a steel front door to your home, but what good does this do to prevent intrusion if you don't lock it?

3. If you don’t keep up with security fixes, your network won’t be yours for long. Without a routine update and patch schedule you leave yourself open for a server or network breach. Staying on top of security threats and plugging holes is vital especially when it comes to web applications.

4. It doesn’t do much good to install security fixes on a computer that was never secured to begin with. In other words, do you close the barn door after the horses escaped?

5. Eternal vigilance is the price of security. Monitoring your system only once in a while will not protect you from breaches, malware or viruses. To maintain a truly secure system means a dedicated schedule for reviewing Firewall logs and other important security / maintenance logs.

6. There really is someone out there trying to guess your passwords. Weak passwords are a hacker's best tool for gaining access to your account. Don't give them that tool. Make it hard for them to guess that your password is your child or spouse's name, your street address or something easily gained by simple social engineering. Make your passwords complex, long in character length and change them on a regular basis.

7. The most secure network is a well-administered one. I don't think anything can be added to this statement to make it more clear and understandable.

8. The difficulty of defending a network is directly proportional to its complexity. Adding complexity should only be done when it is a business or technological necessity.

9. Security isn’t about risk avoidance; it’s about risk management. Risk is a part of our every day lives. It also exists within our networks and systems. It is every administrator's job to make sure that the servers and networks are monitored, logs tracked and plans are made to minimize the risks. Some risks are more allowable than others, some are more serious and need to be kept in check.

10. Technology is not a panacea. Too many times people forget that there are others out there that are wanting to do bad things. Cyber crime is out there and burying your head in the sand is not going to make it go away. Planning for security, implementing those plans, and knowing what to do when something does go wrong is key.