|
6/1/2011 -- Risk management is a new addition to the SY0-301 version of the CompTIA Security+ exam, joining the risk assessment concepts that have always been there. This visual guide, based on definitions in the Security+ Study Guide, 5th Edition (ISBN: 978-1118014738), illustrates the five types of risk management strategies this exam expects you to know: acceptance, avoidance, deterrence, mitigation and transference.
As an overly simplistic analogy, assume that the area in which you live has a problem with mailbox vandalism. Some group of miscreants is regularly driving about smashing mailboxes with baseball bats. The following discussion shows the risk strategies as they apply to dealing with this situation and then ways that it is manifested in the workplace and on your systems.
Risk Acceptance
"Risk acceptance" is essentially acknowledging that the risk exists (and that you could be affected by it), then choosing to do nothing further. It does not mean that you will be affected by the risk, but only that you realize you could. Quite often, this is the choice that you make when the cost of implementing any of the other choices exceeds the value of any harm that could occur if the risk comes to realization.
In the case of the mailbox, you simply ignore the problem and hope that the ruffians never come down your street and stop at your mailbox. Considering all the mailboxes out there, this may be a reasonable approach, but if your house is two blocks down from the high school, the odds may be against you.
To truly qualify as acceptance, it cannot be a risk that the administrator -- or management -- does not know exists. They must be fully away of it and understand the potential cost/damage and make the informed decision to accept it. Every firm has a different level of risk tolerance (sometimes called a risk appetite) that they are willing to contend with.
Risk Avoidance
As opposed to acceptance, risk avoidance involves identifying a risk and making the decision to no longer engage in actions associated with that risk. For example, a company could decide that many risks are associated with e-mail attachments and simply ban all attachments from entering the network. As a part of avoidance, the company takes steps that remove the risk, chooses to engage in some other activity, or puts a stop to their exposure. Avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to exposure to the risk.
In the case of the mailbox, rather than take a chance on someone smashing it, you simply choose to not have one. All letters that need to go out can be dropped off at the post office and the only ones coming in are probably bills anyway.
One of the biggest problems with risk avoidance is that you are steering clear of activities you may benefit from. The best risk avoidance strategy for keeping a business' computers from being compromised, for example, is to simply not use computers. For most companies, however, that solution is not only impractical, but it would also prevent them from adding social value -- not to mention monetary value -- to their stakeholders.
Risk Deterrence
The easiest way to think of risk deterrence is to think of it as a you-hit-me-and-I'll-hit-you-back-harder mentality. Deterrence involves understanding something about the enemy and letting them know the harm that can befall them if they cause harm to you. This can be as simple as posting prosecution policies on your log-in pages and convincing people you have steps in place to identify intrusions and act on them.
In the case of the mailbox, posting a sign on or near the mailbox warning of video surveillance and the threat of prosecution can serve as a deterrence that might convince the hoodlums to drive past this mailbox and get your neighbor Justin's instead.
One common deterrence building block used today for physical security is the security camera. By placing these all about, a would-be attacker isn't sure when they are being monitored, what type of recording is taking place or other related factors, and will hopefully turn their attention to somewhere that they can carry out their deeds without worry of repercussions.
Risk Mitigation
When you take steps to reduce the risk, you engage in risk mitigation (occasionally referred to as risk reduction). The harm can still occur, but you've reduced the impact it will have. Enclosing the mailbox in its own little fortress does not fully prevent someone from being able to destroy it -- they could still take their bats to it for hours -- but it greatly reduces the damage they can do, all other things remaining equal.
Common steps in risk mitigation include installing anti-virus software (the virus may still come in, but you'll isolate it and stop it before it can do much harm), educating users about possible threats, monitoring network traffic, encrypting data to prevent it being of much value if it falls into the wrong hands, adding a firewall, and so on.
In its Security Intelligence Report, Volume 9, Microsoft lists the following suggestions for mitigating risk:
- Keep security messages fresh and in circulation.
- Target new employees and current staff members.
- Set goals to ensure a high percentage of the staff is trained on security best practices.
- Repeat the information to raise awareness.
Some tools that can be helpful include the Microsoft Security Assessment Tool (MSAT), which can identify risks; the Data Encryption Toolkit for Mobile PCs to add BitLocker and EFS to mobile devices; and the Windows Security Compliance Toolkit for rolling out BitLocker and EFS in enterprise environments.
Risk Transference
When you offload some of the risk to another party, you engage in risk transference. This does not mean that you are no longer exposed to risk, but rather that you have divested some of it (sharing the burden, so to speak) to the other party. A common "other party" is an insurance company which insures you for a cash amount if all steps were in place to reduce risk and your systems were still harmed. Because the harm is being distributed, risk transference is sometimes referred to as risk sharing.
In the case of our mailbox analogy, moving from a standalone mailbox in the middle of nowhere to a grouping of boxes helps share the risk. If you are the mailbox in the middle of the set of three shown, your box can still be smashed, but the odds of it happening have been greatly reduced. Another alternative would be to rent a box at the post office -- shifting some of the burden for maintaining the security and protection of the receptacle to that third party (the USPS).
A current trend in this category is to move many services to the cloud and have them hosted by a third-party provider. In so doing, you are engaging in a form of risk transference by counting on that third-party provider for uptime, performance and security measures. Another transference possibility involves employing external consultants for assistance with solutions in areas where internal IT is weak and requiring them to guarantee/warrant their work.
A Second Analogy
Imagine that you are a junior administrator for a large IT department and you believe that one of the older servers should be replaced with a new one. There are no signs of failure now, but it would be prudent to upgrade before anything disastrous happens. The problem, however, is that all spending requires approval from your superior who is focused on saving the company as much money as possible in order to be considered for a promotion, and he does not want anyone finding ways to spend money. You know him well enough to fear that if a problem does occur, he will not hesitate to put all the blame on you to save his own career. The following table shows how each of the possible risk strategies apply to this scenario:
|
Risk Strategy
|
Application
|
|
Risk acceptance
|
You know the server could fail but pray that it doesn't. You don't want to rock the boat and make your boss unhappy with you. With luck, you'll have transferred out of there and on to coding before the server ever goes down.
|
|
Risk avoidance
|
You begin moving services from the older server to other servers and remove the load to avoid the risk of any services being affected by its demise.
|
|
Risk deterrence
|
You write up the possibility of the server failing along with details of what you think should be done to prevent it. You submit this to your boss and his boss as well. You use quantitative analysis to show the logic in replacing the server before it fails rather than after.
|
|
Risk mitigation
|
You write up the possibility of a failure and submit it to your boss while also moving crucial services from that server to others.
|
|
Risk transference
|
You write up the possibility of the server failing along with details of what you think to should be done to prevent it. You submit it to your boss while keeping a copy for yourself. If the server does fail, you have proof that you documented this possibility and made the appropriate parties aware of the situation.
|
Combining Approaches
Risk strategies need not be thought of as either/or propositions. It is often possible to combine a bit of deterrence with mitigation or avoidance. You often try to combine possibilities to reduce your exposure as much as possible (minimalizing risk) and then are left with acceptance for those issues you cannot address otherwise.
In the case of the mailbox analogy, grouping individual boxes together and placing them all in bricks combines elements of both mitigation and transference. Summary
Risk transference, mitigation, avoidance and deterrence are proactive solutions that require planning and implementation ahead of time. Risk acceptance, on the other hand, merely takes the do-nothing approach. These constitute the five strategies that CompTIA expects you to know for the risk management portion of the Security+ exam.
|
