How to gracefully lose control over computing assets

Archive for the ‘Risk Management’ Category

How to gracefully lose control over computing assets

Posted by

Cloud transition is about how to gracefully lose control over computing assets.

This is a good article. It traces the history of security from the military-minded security pros of yesterday, to the risk management security pros of today, to the great unknown of tomorrow. Given information security is about guarding information assets, InfoSec may shift toward vendor management and away from technological prowess. “For example, even in the case of stuff covered by compliance (you know, that critical Confidentiality stuff we’d never move to the Cloud), vendors will be quick to sell certified solutions (we’re already seeing this, actually).”

“Now in addition to worrying about measuring things like control effectiveness, A/V coverage, and risk, we’re going to have to understand things like: what level of Governance information are we going to require from which vendors? Once we have that Governance information, what are we going to actually do with it in order to make decisions?”

 

Referencing a post from https://securityblog.verizonenterprise.com/

Risk Management is prevention and Security Information Management is detection

Posted by

Risk Management (RM) is comprised of asset management, threat management, and vulnerability management. Asset management includes tying IT equipment to business processes. Asset management also includes performing an impact analysis to determine the relative value of the equipment based upon what the business would pay if the equipment was unavailable, and what the business would earn if the equipment was available. Threat management includes determining threat agents (the who) and threats (the what). For example, a disgruntled employee (threat agent) performs unauthorized physical access (threat 1) to sabotage equipment (threat 2). Vulnerability management is auditing, identifying, and re-mediating vulnerabilities in the IT hardware, software, and architecture. Risk management is tracking assets, threats, and vulnerabilities at a high level by scoring on priority (Risk = Asset * Threat * Vulnerability) and scoring on exposure (Risk = Likelihood * Impact).

Once prioritized, we can then move onto determining controls to reduce the risk. Controls can be divided into three broad methods: administrative or management, operational, and technical. Preventative and detective are the two main forms of controls. Preventative controls stop the threat agent from taking advantage of the threat. In the above example, a preventative control would be a locked door. Detective controls track violations and provide a warning system. For the disgruntled employee entering an unauthorized area, a detective control would be things like motion detectors. The resulting control matrix includes management preventative controls, management detective controls, operational preventative and detective controls, and so on for technical controls.

Security Information Management (SIM) is a technical detective control that is comprised of event monitoring and pattern detection. Event monitoring shows what happened when and where, from both the network and the computer perspectives. Pattern detection is then applied to look for known attacks or unknown anomalies. The challenge an InfoSec guy faces is that there is just too many events and too many attacks to perform this analysis manually. The purpose of a Sim is to aggregate all the detective controls from various parts of the network, automate the analysis, and roll it up into one single console.

My approach to managing security for a business networks is to use Risk Management for a top down approach. This allows me to prioritize my efforts for preventative controls. My team and I can then dig deep into the security options and system parameters offered by the IT equipment that is driving the business. For all other systems, I rely on detective controls summarized by a Security Information Management tool.

In my network architecture, RM drives preventative controls and SIM drives detective controls.

Out and About: Practical Risk Management

Posted by

Contact: Cynthia Meinke
Ph: 248-373-8494
Date(s): 9/18/08
Time: 6:00 PM
Location: Cisco Systems, 2000 Town Center, Suite 450, Southfield, MI 48075

Event Description:

The Motor City Chapter of the Information Systems Security Association (ISSA) will be hosting their September meeting with a presentation on Practical Risk Management. Their speaker,  J. Wolfgang Goerlich, CISSP, CISA,  is an information security professional with over a decade of experience in IT.  Currently Mr. Goerlich is the Network Operations and Security Manager for a large financial institution in Michigan.  In this presentation, Mr. Goerlich will describe some of the challenges he faced while developing an enterprise risk management program and explain how he ultimately solved them with a leading governance risk and compliance (GRC) technology. This presentation will discuss the practical implementation of GRC technology, discuss its uses, and review lessons learned.

This event is open to non-members.  Please RSVP to secretary@issa-motorcity.org.  For further information, please contact Cynthia Meinke at 248-373-8494 ext. 405.