Security Management Strategies for the CIOAccess "The security risk management lifecycle framework"
This article is part of the June 2003 issue of Defense-in-Depth: Securing the network from the perimeter to the core
IT security risk management is best approached as a "lifecycle" of activities, one logically leading into the next. The most important thing to remember is that risk is evolutionary, which means these activities must be continuously repeated and refined. Here's a basic framework of critical steps. Identify Assets You can't secure an asset if you don't know it exists. The first step in risk management involves asset identification, classification and valuation. CISOs are the custodians of information, not the owners. Make sure you work with departmental and business unit leaders to determine an asset's value to the organization. Assess Risk Next comes the difficult part: assessing the overall risk to the asset. There are several formal methods for doing this, including qualitative and quantitative risk analysis. To assess an asset's risk, you have to evaluate three variables: the overall threat to the asset (both inside and outside the organization); its inherent and environmental vulnerability levels; and the cost of loss, downtime and recovery should it be ... Access >>>
Access TechTarget
Premium Content for Free.
What's Inside
Features
-
-
Designing a defense-in-depth network security model
by Joel Snyder, Contributor
We challenged networking and firewall vendors to provide defense-in-depth security from the perimeter to the core. Their responses give us a glimpse into the future of enterprise network security.
-
First person: Editor Andrew Briney on how to pass the CISSP exam
by Andrew Briney
Newly minted CISSP Andrew Briney explains how to pass the CISSP exam, infosec's most coveted and controversial certification.
-
CISSP study plan: CISSP prep books, guides and resources
by Andrew Briney
Check out Andrew Briney's CISSP study plan recommendations on the best CISSP prep books, guides and websites.
-
The security risk management lifecycle framework
by Andrew Briney
Learn about the seven steps in the enterprise information security risk management lifecycle framework.
-
Designing a defense-in-depth network security model
by Joel Snyder, Contributor
-
-
Top challenges facing defense-in-depth firewall technology
by Joel Snyder, Contributor
Defense-in-depth firewall technology may offer value, but there are six barriers thwarting firewall technology on the port level.
-
Preparing for CISSP exam questions: What to expect
by Andrew Briney
Anybody who says the CISSP exam is easy isn't telling the whole story. There are plenty of difficult questions--some legitimate, some goofy.
-
Roundtable: Practical strategies for enterprise-wide risk management
by Andrew Briney
Four CISOs explore practical strategies for managing enterprise risk-from classification to assessment to monitoring to response.
-
Keeping security initiatives on track through executive, management turnover
by Anne Saita
How to keep enterprise security initiatives on track...even when there are cracks in the corporate ladder.
-
Top challenges facing defense-in-depth firewall technology
by Joel Snyder, Contributor
-
Columns
-
Achieving compliance with the California SB 1386 privacy law
by Randy Sabett, Contributor
California's new SB 1386 privacy law is full of ambiguity, but if you do business there, you'd better get your guard up.
-
Test center: CORE IMPACT 3.1 automated pen testing tool
by Scott Sidel, Contributor
Numerous mistakes tarnish the benefits of CORE Security's CORE IMPACT 3.1 automated pen testing tool.
-
POF fingerprint scanning tools mitigate OS fingerprinting vulnerabilities
by Marcus J. Ranum, Contributor
Nmap's silent parnter, POF is an OS fingerprinting tool for the good guys.
-
How to learn IT security in your spare time
by Dana W. Paxson, Contributor
When considering how to learn IT security, never underestimate the power of a few minutes of downtime.
-
Achieving compliance with the California SB 1386 privacy law
by Randy Sabett, Contributor
More Premium Content Accessible For Free
Unlock new pathways to network security architecture
E-Zine
Network security architecture is showing its age at many organizations. With new technology, different data types, and use of multi-generations of ...
Emerging threat detection techniques and products
E-Handbook
Advanced persistent threat (APT) has been a used and abused term in the security industry, but security experts say targeted attacks are a growing ...
The rapid evolution of MDM solutions
E-Zine
Mobile device management (MDM) continues to grow at a feverish pace, both in terms of adoption and mobile security features. BYOD policies, and the ...