Thursday, May 13, 2010
Saturday, March 20, 2010
Risk Management
Risk Management is a very broad term and could not be summarized in one sentence.
However we still can say risk management is a concept of managing risks in diversified areas which might or might not be interrelated.
Risk Management is a successful venture only if it is associated with all aspects of organizational policies and leads to an organizational security.
Any risk originating will ultimately lead to organizational loss so risk has to be handled carefully and taking into account it's full impact and loss henceforth if it occurs.
Risks could be different and solely depends on the nature of the business carried out by an organization. As for eg. Healthcare company will have a different risk to overcome with as against an IT organization.
However some risks are common for all organizations irrespective of the nature of the business being carried out. These could be penned down as Physical risks, Environmental Disasters and other socio-environmet risks.
Risk management has to be dealt with pre risk analysis, risk mitigation, risk reduction, and ensuring organizations staying in business with minimum impact.
However we still can say risk management is a concept of managing risks in diversified areas which might or might not be interrelated.
Risk Management is a successful venture only if it is associated with all aspects of organizational policies and leads to an organizational security.
Any risk originating will ultimately lead to organizational loss so risk has to be handled carefully and taking into account it's full impact and loss henceforth if it occurs.
Risks could be different and solely depends on the nature of the business carried out by an organization. As for eg. Healthcare company will have a different risk to overcome with as against an IT organization.
However some risks are common for all organizations irrespective of the nature of the business being carried out. These could be penned down as Physical risks, Environmental Disasters and other socio-environmet risks.
Risk management has to be dealt with pre risk analysis, risk mitigation, risk reduction, and ensuring organizations staying in business with minimum impact.
Friday, March 12, 2010
Information Security Risk Assessment
The new question that comes on is what is Information Security Risk Assessment or in other words Risk Management ?
Proper and thorough analysis of Risk Management is necessary as the whole process of Information Security depends on this phase. Even a single miss can make a not so effective security program.
This phase is the most critical in terms of analysis of Organizational security architecture.
There are 2 methods of assessing risks..
->Qualitative Risk Analysis
->Quantitative Risk Analysis.
Qualitative Risk Analysis :- Deals with probabilities and occurrences of threats, vulnerabilities, risk factors applicable and controls in place to combat threat and minimize risk and make a system/s non-vulnerable to threats.
Quantitaive Risk Analysis:- Deals with values or data and calculation of Loss Expectancy as SLE(Single Loss Expectancy) , ALE(Single Loss Expectancy), ARO(Annual Rate of Occurrence of a particular threat)
The formula goes as
ALE = SLE X ARO
When we talk about ALE, SLE, ARO we will have to discuss 2 more things here
EF (Exposure Factor of a system to a threat)
Asset Value (The net asset value of a system at the time of threat materializing)
Taking these 2 into account makes it as
SLE = EF X Asset Value
Once we have understood and identified the risks, the next step is to handle the risk.
The ways to handle the risks are
->Eliminate Risk : - Not always possible to eliminate the risk as it might lead to removal of system itself.
->Minimize Risk : - Putting controls in such a way as to reduce the impact or delaying the impact as in case of door delay(we will discuss later) which helps in taking action as an when it occurs.
->Transfer Risk : - Transfer means insurance of risk which is unavoidable as in case of disaster which could not be prevented. This mostly relates to features which are not controlable as hurricane or other natural disasters.
->Accept Risk : - This should be done when the cost of risks outweighs the cost of controls to be put in place. Means if the risk of damage and potential loss exceeds the cost of putting measures, then it is advisable to accept provided the organisation can live with it and it does not harm any other scenario or other third party, vendor networks.
There are couple of tools available to perform Risk Assessment as :
CORA, COBRA, CRAMM, RiskPAC all focussing on different spheres of business as Government and Public Sector, Telecom and IT Sector,Health Sector, Enterprise Sector.
Proper and thorough analysis of Risk Management is necessary as the whole process of Information Security depends on this phase. Even a single miss can make a not so effective security program.
This phase is the most critical in terms of analysis of Organizational security architecture.
There are 2 methods of assessing risks..
->Qualitative Risk Analysis
->Quantitative Risk Analysis.
Qualitative Risk Analysis :- Deals with probabilities and occurrences of threats, vulnerabilities, risk factors applicable and controls in place to combat threat and minimize risk and make a system/s non-vulnerable to threats.
Quantitaive Risk Analysis:- Deals with values or data and calculation of Loss Expectancy as SLE(Single Loss Expectancy) , ALE(Single Loss Expectancy), ARO(Annual Rate of Occurrence of a particular threat)
The formula goes as
ALE = SLE X ARO
When we talk about ALE, SLE, ARO we will have to discuss 2 more things here
EF (Exposure Factor of a system to a threat)
Asset Value (The net asset value of a system at the time of threat materializing)
Taking these 2 into account makes it as
SLE = EF X Asset Value
Once we have understood and identified the risks, the next step is to handle the risk.
The ways to handle the risks are
->Eliminate Risk : - Not always possible to eliminate the risk as it might lead to removal of system itself.
->Minimize Risk : - Putting controls in such a way as to reduce the impact or delaying the impact as in case of door delay(we will discuss later) which helps in taking action as an when it occurs.
->Transfer Risk : - Transfer means insurance of risk which is unavoidable as in case of disaster which could not be prevented. This mostly relates to features which are not controlable as hurricane or other natural disasters.
->Accept Risk : - This should be done when the cost of risks outweighs the cost of controls to be put in place. Means if the risk of damage and potential loss exceeds the cost of putting measures, then it is advisable to accept provided the organisation can live with it and it does not harm any other scenario or other third party, vendor networks.
There are couple of tools available to perform Risk Assessment as :
CORA, COBRA, CRAMM, RiskPAC all focussing on different spheres of business as Government and Public Sector, Telecom and IT Sector,Health Sector, Enterprise Sector.
Tuesday, March 9, 2010
IT Security Audit
When we talk about the security audit we need to understand the aspect of the audit and what it involves, its various stages and developments.
The first and foremost stage for an audit is the requirements to carry out the audit function for a system.
Lets take a look at some points :-
-> What system to audit ?
-> Is the system being used 24X7 ?
-> What is the state of the system ?
-> What critical functions and processes it carries ?
-> What data it processes ?
-> What is the peak time of access and how many users/processes on an average use the systems ?
-> Legal responsibilities attached to the data if any ?
-> How to carry out the audit process ?
The above mentioned points are just some basic points or requirements to know before audit process starts. These points refer to a point called WHAT TO AUDIT
The next step towards auditing is HOW TO AUDIT
Here comes another point as Information Security Risk Assessment
Auditing is not only done to see if things and proper controls are in place but to perform risk assessment to ensure the controls which are in place are appropriate or not and are justified.
The various steps in information security risk assessment could be defined as
-> Asset Classification
-> Threat and Vulnerability Assessment
-> Checking of Controls in place to mitigate risks
-> Analysis of Controls, Feasibility study, Decisions and Recommendations
-> Complete documentation and summary report.
The first and foremost stage for an audit is the requirements to carry out the audit function for a system.
Lets take a look at some points :-
-> What system to audit ?
-> Is the system being used 24X7 ?
-> What is the state of the system ?
-> What critical functions and processes it carries ?
-> What data it processes ?
-> What is the peak time of access and how many users/processes on an average use the systems ?
-> Legal responsibilities attached to the data if any ?
-> How to carry out the audit process ?
The above mentioned points are just some basic points or requirements to know before audit process starts. These points refer to a point called WHAT TO AUDIT
The next step towards auditing is HOW TO AUDIT
Here comes another point as Information Security Risk Assessment
Auditing is not only done to see if things and proper controls are in place but to perform risk assessment to ensure the controls which are in place are appropriate or not and are justified.
The various steps in information security risk assessment could be defined as
-> Asset Classification
-> Threat and Vulnerability Assessment
-> Checking of Controls in place to mitigate risks
-> Analysis of Controls, Feasibility study, Decisions and Recommendations
-> Complete documentation and summary report.
Sunday, March 7, 2010
Authentication Mechanisms
What is an authentication ?
-> Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be either an end user, a machine, or an application
Now when we talk about authentication , we will have to discuss about mechanisms used to authenticate a user or a process or a client.
In straight forward concept there are many ways authentication could be done
-> One time passwords
-> Challenge Response Mechanisms
-> Time based mechanisms as using SecureID (Password Generator)
This is just a snapshot of authentication mechanisms used often in world, however many new mechanisms are available to check out.
Precisely when we take a case of SecureID, RSA then we can again think of 2 Factor Authentication which relates back to our old post, where ...
-> Something You Have (Token that generates a passcode)
-> Something You Know (Pin) which is used together to authenticate a user
User puts in his ID and then uses a combination of PIN+Passcode
New emerging technology in market is RSA Adaptive Authentication
Which deals with intelligent engine and looks for various factors to determine the risk level of an entity.
It takes into account many parameters and conducts a risk assessment.
Unique risk score is assigned to each activity and users are only challenged in case of high risk activity. This helps companies to increase security without affecting users activities.
It is still in it's nascent stage but slowly gaining implementations worldwide.
-> Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be either an end user, a machine, or an application
Now when we talk about authentication , we will have to discuss about mechanisms used to authenticate a user or a process or a client.
In straight forward concept there are many ways authentication could be done
-> One time passwords
-> Challenge Response Mechanisms
-> Time based mechanisms as using SecureID (Password Generator)
This is just a snapshot of authentication mechanisms used often in world, however many new mechanisms are available to check out.
Precisely when we take a case of SecureID, RSA then we can again think of 2 Factor Authentication which relates back to our old post, where ...
-> Something You Have (Token that generates a passcode)
-> Something You Know (Pin) which is used together to authenticate a user
User puts in his ID and then uses a combination of PIN+Passcode
New emerging technology in market is RSA Adaptive Authentication
Which deals with intelligent engine and looks for various factors to determine the risk level of an entity.
It takes into account many parameters and conducts a risk assessment.
Unique risk score is assigned to each activity and users are only challenged in case of high risk activity. This helps companies to increase security without affecting users activities.
It is still in it's nascent stage but slowly gaining implementations worldwide.
Saturday, March 6, 2010
Access Control for Data
With words terming as access control, There are few things catching up the mind.
-> Identification
-> Authentication
-> Authorization
-> Accountability
Identification could be defined as a public identity as may be EMPID which is publicly known to all in an organization but identification itself does not guarantee that the user is authenticated and authorized for a particular access.
Identification has to be associated with some mechanism to authenticate, this is where authentication mechanism comes into picture.
Users can be authenticated in ways as
-> Hardware ways using Biometric Device, RSA tokens
-> Software ways as using passwords
Authentication itself is a very big chapter to understand as there are multiple and new ways in technology to authenticate and grant resource access which we will take up later.
But for now we can know as 2 factor Authentication which is till now the best way to authenticate summed up as
-> Something user has (may be RSA token or a software token)
-> Something user knows (may be Password)
-> Something user is (may be EMPID)
2 Factor authentication deals with a person having either of the above 2 mentioned features to authenticate itself.
-> Identification
-> Authentication
-> Authorization
-> Accountability
Identification could be defined as a public identity as may be EMPID which is publicly known to all in an organization but identification itself does not guarantee that the user is authenticated and authorized for a particular access.
Identification has to be associated with some mechanism to authenticate, this is where authentication mechanism comes into picture.
Users can be authenticated in ways as
-> Hardware ways using Biometric Device, RSA tokens
-> Software ways as using passwords
Authentication itself is a very big chapter to understand as there are multiple and new ways in technology to authenticate and grant resource access which we will take up later.
But for now we can know as 2 factor Authentication which is till now the best way to authenticate summed up as
-> Something user has (may be RSA token or a software token)
-> Something user knows (may be Password)
-> Something user is (may be EMPID)
2 Factor authentication deals with a person having either of the above 2 mentioned features to authenticate itself.
3rd Trait is Availability
It is a plain simple context as the information should be available to all the intended people for read/write access as per their authorizing level so that be presented and used for the purpose it is meant for.
Subscribe to:
Comments (Atom)