Article

Is your risk management plan as good as it gets?

Shawna McAlearney, Staff Writer

Not all security incidents can be prevented, nor is it cost-effective to try. Each control should be evaluated on its own merits prior to implementation. Issues to consider: direct costs, training, decreased

    Requires Free Membership to View

system performance and public perception.

To help security managers implement recommendations is the just-released incident response guide by the National Institute of Standards and Technology (NIST) that emphasizes being prepared for various security breaches.

The guide suggests management controls that focus on compliance with the information protection policy, guidelines and standards to manage and reduce the risk of loss and protect an organization's mission. Detection controls warn of violations or attempted violations of security policy and include audit trails, intrusion detection methods and checksums. Recovery controls can be used to restore lost computing resources.

"In order to get a solid handle on all vulnerabilities, enterprises need sound policy definition and the ability to define secure states for different classes of systems," said Steve Solomon, CEO of Citadel Security, a provider of automated vulnerability remediation and policy enforcement solutions.

To ensure cost-effective controls and to allocate resources, organizations should conduct a cost-benefit analysis for each control to determine which are appropriate, says NIST. Each control should be evaluated for impact and cost of implementation, including purchase price, reduced system performance or functionality versus increased security, and hidden costs such as additional personnel and training, maintenance, and the cost of implementing additional policies and procedures.

"The costs and benefits should be weighed against system and data criticality in terms of maintaining an acceptable mission posture for the organization," said Gary Stoneburner, an IT specialist in the security division at NIST who coauthored the guide. Just as there is a cost for implementing a needed control, there's a cost for not implementing it, according to the guide.

NIST's guide also includes sample questions to ask site personnel to gain an understanding of the operational characteristics of an organization and a sample risk assessment report outline.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: