Home > Security News > Is your risk management plan as good as it gets?
Security News:
EMAIL THIS LICENSING & REPRINTS

Is your risk management plan as good as it gets?

By Shawna McAlearney, Staff Writer
05 Feb 2004 | Security Wire Perspectives

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Not all security incidents can be prevented, nor is it cost-effective to try. Each control should be evaluated on its own merits prior to implementation. Issues to consider: direct costs, training, decreased system performance and public perception.

To help security managers implement recommendations is the just-released incident response guide by the National Institute of Standards and Technology (NIST) that emphasizes being prepared for various security breaches.

The guide suggests management controls that focus on compliance with the information protection policy, guidelines and standards to manage and reduce the risk of loss and protect an organization's mission. Detection controls warn of violations or attempted violations of security policy and include audit trails, intrusion detection methods and checksums. Recovery controls can be used to restore lost computing resources.

"In order to get a solid handle on all vulnerabilities, enterprises need sound policy definition and the ability to define secure states for different classes of systems," said Steve Solomon, CEO of Citadel Security, a provider of automated vulnerability remediation and policy enforcement solutions.

To ensure cost-effective controls and to allocate resources, organizations should conduct a cost-benefit analysis for each control to determine which are appropriate, says NIST. Each control should be evaluated for impact and cost of implementation, including purchase price, reduced system performance or functionality versus increased security, and hidden costs such as additional personnel and training, maintenance, and the cost of implementing additional policies and procedures.

"The costs and benefits should be weighed against system and data criticality in terms of maintaining an acceptable mission posture for the organization," said Gary Stoneburner, an IT specialist in the security division at NIST who coauthored the guide. Just as there is a cost for implementing a needed control, there's a cost for not implementing it, according to the guide.

NIST's guide also includes sample questions to ask site personnel to gain an understanding of the operational characteristics of an organization and a sample risk assessment report outline.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts