If You Read One Article About Risk Management Activity Read this One

 

As a security administrator, the various risk management activity I will perform for my company –

First of all the questions that I need to ensure from the company’s point of view before going for the actual Risk management activity-

1.      Has it been communicated to staff that protecting the system is in everyone's best interests?

2.      Has an effort been made to increase staff awareness of security issues?

3.      Has appropriate staff security training been provided?

4.      Are security activities regularly monitored?

5.      Has administrator support been garnered?

6.      Has user support been sought?

7.      Has a security breach response plan been developed?

8.      Have contingency plans been developed to deal with significant and probable threats?

9.      Are response and contingency plans frequently and exhaustively tested?

10.   Has a backup plan been developed and implemented?

11.   Is a virus protection system in place?

12.   Are software updates tracked?

13.   Are user accounts managed appropriately?

14.   Is system use monitored appropriately?

Then the Things I have to keep in my mind -

·        Security Breach Response Planning

There are three common responses to an attack on an information system: "protect and proceed," "pursue and prosecute," and "panic and pray."  Either of the first two strategies, while clearly opposite in design, can be appropriate depending on the nature of the security breach and the philosophy of the organization.  The third approach, "panic and pray," while unfortunately more common than the first two, is never an effective response.  In fact, the entire rationale for contingency planning is to minimize the need for panic and prayer in the event of a security incident.

1.     Protect and Proceed.  If management fears that the site is particularly vulnerable to attack, it may choose a "protect and proceed" strategy.   Upon detection of an attack, attempts are made to actively interfere with the intruder's penetration, prevent further encroachment, and begin immediate damage assessment and recovery.  This process may involve shutting down facilities, closing off access to the network, or other drastic measures.  The drawback is that unless the intruder is identified directly, he, she, or it may come back into the site via a different path, or may attack another site.

2.     Pursue and Prosecute. This alternative to the "protect and proceed" approach adopts the opposite philosophy and goals.   Here, the primary goal is to allow intruders to continue to access the system until they can be identified and have evidence of their unauthorized activities gathered against them.  While this approach is endorsed by law enforcement agencies and prosecutors because of the evidence it can provide, the major drawback is that the system and its information remain open to potential damage while the organization is trying to identify the source and collect its evidence.

·        Contingency Planning

Hard drives will crash, electrical surges will zap data, and files will be erased accidentally.  General system security is designed and implemented to protect the organization from these disturbing events.  But as valuable as locks, virus scanners, disk labels, and passwords can be, if a fire, flood, or sophisticated intruder knocks at the door uninvited, be prepared for trouble.

·        Virus Protection

Any machine that is connected to a network or that interacts with others via diskettes or a modem is vulnerable to rogue programs: computer viruses, worms, Trojan horses, and the like.  It is my duty to develop and monitor procedures for preventing viruses and other rogue programs from infiltrating the system.  As a thumb rule, no diskette from outside the system (including brand name, shrink-wrapped software) should ever be used on a system machine without first having been scanned by an up-to-date antivirus program.

·        Software Updates

It goes without saying that computer systems have bugs. Even operating systems, upon which we depend for so much of the protection of our information, have bugs.  Because of this, software publishers release updates on a frequent basis.  Often these updates are, in fact, plugs for holes in the software's security that have been discovered.  It is important that whenever these bugs are identified, I’ve to take all action possible to remedy them as soon as possible in order to minimize exposure.

·        User Account Management

Users other than the system manager (and an accountable replacement in case of emergency) should be given access to the system based solely on their job needs.  Restricting user access minimizes the opportunities for accidents and other possibly inappropriate actions. Through the use of user accounts, each authorized user is identified before accessing the system, and any action that is made by that user is classified as such.

·        System Use Monitoring

System monitoring can be done by either the security manager or by software designed specifically for that purpose.  Monitoring a system involves looking at all aspects of the system, identifying patterns of regular use, and searching for anything unusual. Most operating systems store information about system use in special files referred to as log files.  Examination of these log files on a regular basis is often the first line of defence in detecting unauthorized use of the system. 

1.     Compare lists of currently logged-in users and past log-in histories.  Most users typically log in and out at roughly the same time each day.  An account logged in outside the "normal" time for the account may be a sign of unauthorized activity and require investigation and explanation.

2.     Check system logs for unusual error messages.  For example, a large number of failed log-in attempts in a short period of time may indicate that someone is trying to guess passwords.

·        Include procedures for interaction with outside organizations, including law enforcement agencies and other security support sites. 

The procedures should state who is authorized to make such contact and how it should be handled.

I’ve to be inclusive when building the contingency planning team by including:

• Key policy-makers
• The security manager
• Building management
• Technical support
• End-users
• Other representative staff
• Local authorities
• Key outside contacts (e.g., contractors and suppliers)

The I need to obtain and approximate:

• An exhaustive list of critical activities performed within the organization (as should be identified in my risk assessment)
• An accurate estimate of the minimum space and equipment necessary for restoring essential operations
• A time frame for starting initial operations after a security incident
• A list of key personnel and their responsibilities

I also have to perform and delegate the following duties as part of the development of a contingency plan by:

• Creating an inventory of all assets, including information (data), software, hardware, documentation and supplies- include item by item, the manufacturer's name, model, serial number, and other supporting evidence.  Perhaps videotape my facility, including close-ups. 
• Set up reciprocal agreements with comparable organizations to share each other’s equipment in the event of an emergency at one site (e.g., school district to school district, school district to state department, school district to school, school to local non-profit). The key is that I have compatible equipment requirements (e.g., MAC to MAC or Windows to Windows).
• Make plans to procure hardware, software, and other equipment as necessary to ensure that mission-critical activities are resumed with minimal delay. Keep in mind that old equipment that I have replaced may no longer ideally meet my needs, but might suffice in a pinch if it still meets my minimum requirements.
• Establish contractual agreements with "hot" and "cold" backup sites as appropriate.

o   A "hot" site is an off-site facility that includes computers, backed up data, etc. (everything necessary for resuming operations)

o   A "cold" site is an off-site facility that includes everything necessary for resuming operations with the exception of actual computers (if some delay is acceptable, then the expense can be incurred when and only when necessary)

• Identify alternative meeting and start-up locations to be used in case regular facilities are damaged or destroyed.
• Prepare directions to all off-site locations (if and when moving off-site is actually required).
• Establish procedures for obtaining off-site backup records (i.e., who, what, where, how, and under whose direction).
• Gather and safeguard contact information and procedures for communicating with key personnel, suppliers, and other important contacts.
• Arrange with manufacturers to provide priority delivery of emergency orders.
• Locate support resources that might be needed (e.g., equipment repair, trucking, and cleaning companies).
• Establish emergency agreements with data recovery specialists.
• Arrange for uninterrupted site security with local police and fire departments.

I need to specify the following within the plan:

• Individual roles and responsibilities- by name and job title so that everyone knows exactly what needs to be done
• Actions to be taken in advance of an occurrence or undesirable event Actions to be taken at the onset of an undesirable event to limit damage, loss, and compromise
• Actions to be taken to restore critical functions
• Actions to be taken to reestablish normal operations
• Periodically try to restore files that have been backed up (be sure to make secondary backups so that I am not risking my only backup copy of the data, but otherwise make the process identical to a real emergency).

I’ve to deal with damage appropriately:

• If a disaster actually occurs, document all costs (even interim assessment costs) and videotape the damage (to serve as proof of loss).
• Don't do anything about water damage to technical equipment except immediately contact professional recovery technicians.
• Be prepared to overcome downtime on my own- insurance settlements can take time to be resolved.  Once settled, rebuilding, repurchasing, and reinstalling can take even more time, so don't expect that anything short of being completely prepared will get my office rolling again in a reasonable amount of time.

Which type of backup strategy makes sense for my organization?  That depends on the types and number of files in the system, the level of technical expertise within the organization, and the organization's commitment to security- information that can be found in the results of a well-executed risk assessment. Even after needs unique to the organization have been identified, however, there are several more overarching issues that need to be considered before establishing backup plans:

1. What amount of exposure to data loss can my organization comfortably tolerate?
2. How old is my equipment?  How reliable is it?
3. What is the nature of my workplace?  Do I process new data everyday?

To further evaluate the type of backup strategy that will best meet my organization's needs, also weigh the following factors:

1. The time and effort required to make changes to the files:
   If changes to the file take only a little time, backing up those changes may not be imperative.  If the changes require a great deal of work (e.g., entering data collected from a long form), don't risk that effort and instead back it up frequently.
2. The time and effort required to back up the files:
   If the actual backing up process requires little effort, why put it off?  If it is time consuming, be more aware of proper timing.
3. The value of the data:
   If the data are particularly valuable, back them up more often.  If not, frequent backup may be less necessary.
4. The rate of file change:
   If a document changes rapidly (e.g., because of the operator's speed in data entry), more frequent backup is probably needed.

~ Thank you for reading this post ~

🙏