Manage Risk Before it Damages You - Part Two

Sunday, April 01, 2012

Neira Jones

9f19bdb2d175ba86949c352b0cb85572

In the previous post, I spoke about the importance of having an asset register and how crucial asset classification is. After all, not many of us have unlimited resources, therefore focusing investment where it matters most is the way to go.

Whilst I was thinking about this, the link between changing the CISO traditional attitude and the necessity for risk management became even more apparent and I would like to expand on the trinity of “Asset, Technical Services and Business Need”...

If we agree that the types of assets to be considered have been defined in the previous post, the new trinity is only a slight revamping of my favourite “People, Process and Technology” and can be described as follows:

For a CISO to be successful, they need not only to be prepared to eliminate redundant services and controls (ouch!...), but also to promote the elimination of redundant assets which they will invariably not own... Enter the political CISO...

So, go on, why not hold a workshop with all the executive business stakeholders to ask them the following questions?...

  • Are my employees/agents taking information outside of the organisation? How can they do this? Do I care?
  • Do I need to limit access to this information to only those who need it? What happens if I don’t?
  • What types of attackers would be interested in infiltrating my systems? What would they seek? Why? How damaging?
  • If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out? Do I care?
  • How quickly would I know this has happened? How quickly do I need to stop it?
  • How quickly do I need to respond to the market? What do I need to say?

Here you go, very basic crash course in threat scenario modelling... Believe me, this is a very interesting and enlightening exercise to conduct and can break down some boundaries, try it...

Again, it goes back to my old adage: don’t spend £100 protecting a £1 asset, fix the basics first, choose the right partners, train at all levels and be prepared...

Until next time...

Cross-posted from neirajones

Possibly Related Articles:
5221
Enterprise Security
Information Security
Compliance Enterprise Security Risk Management Data Classification Vulnerabilities Threat Modeling Leadership CISO Policies and Procedures
Post Rating I Like this!
Default-avatar
john walker This is a very interesting, but somewhat basic opinion, which I find a little worrying. We have seen a number of recent aggressive and very successful incursions by groups out of the Hacktivist field, as well as those from the Serious and Organised Crime world. Can it really be that, there are CISO’s in place that need such fundamental, basic s
Security Awareness, and Education – and I am wondering, if this is the case, could this be the reason, Cyber Attacks are enjoying such success.
My opinion is, far too long have the Security Industry relied on Tick Bok, PCI-DSS led initiatives to represent security, when in fact the time is well gone by the sell by date when we MUST get back to 'Technical Basics' – and then assert that those in the seats of power have the basics of security to steer the Corporate Ship – if we don’t have this, I feel we will see even more successful adverse incursions for the foreseeable future.
1333353427
9f19bdb2d175ba86949c352b0cb85572
Neira Jones Hi John, is it the state of affairs or the opinion that you find basic?
I agree that there were very successful incursions by hacktivists, but ultimately, even that is a matter of good risk management. Not all organisations will be subject to such threats, as you will see the numerous data breach reports and recent fraud figures (and what I observe in real life), it is still, unfortunately, a matter of fixing the basics (and Security awareness & education is fundamental...)
Kind regards,
Neira
1333362704
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.