January 27, 2014

2.2.1 Implement security controls based on risk

Implement security controls based on risk

Assets like data have intrinsic value and as such an associated risk of misuse. Misuse in this case is a euphemism for falling into the wrong hands, lost, fraudulently modified, etc. Security controls are the measures that can be taken to protect assets from misuse. Risk is the potential that a specific action (or lack of action) will lead to a loss; where “loss” is an undesirable outcome.

Where the risk is low, security controls aimed at protecting the asset can be minimum. Where the risk is high, security control measures should be elevated appropriately. The organization will decide what measures or security controls to implement based on likelihood of risk. The controls the organization will undertake can range from minimal to elevated.  Depending on the cost of mitigating the risk, the organization can decide to follow one of the following risk management approaches:
  • Risk Acceptance – is being fully aware of the risk and its effects and deliberately choosing to do nothing about it
  • Risk Avoidance – an informed decision to deviate from actions that could lead to the risk
  • Risk Mitigation – accomplished anytime you take steps to reduce the risk
  • Risk Deterrence – adopting policies and procedures that deploys consequences for the attacker
  • Risk Transference – risk mitigation through a partnership
In risk acceptance if the cost of mitigation exceeds the cost of the asset or resulting harm then a cost/benefit risk calculation could be undertaken that informs the organization to accept the risk and do nothing.

Risk calculation or risk analysis deals with threats, vulnerabilities, and the impact of a loss. Even after a risk calculation has been done and the appropriate security controls have been implemented, it is advisable to conduct an audit of the risk.

A risk calculation weighs the potential threat against the likelihood of the threat occurring. A risk calculation identifies both the asset you want to protect and the threat or potential harm to the asset. An example of such a calculation likely kept the EMV chip technology (known as Chip and PIN in the United Kingdom) off of credit cards in the US. Credit cards with the embedded chips are more secure than those with magnetic stripes however they are also more costly to produce. Until the potential threat (e.g. liability of stolen credit card numbers) exceeded the cost of conversion, the conversion did not make sense.
References:

No comments:

Post a Comment