Analytics // Security Monitoring
10/23/2013
09:19 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Using Risk Assessment To Prioritize Security Tasks And Processes

Prioritizing security tasks based on real risk measurements can be tough. Here's some advice to get you started

[The following is excerpted from "Using Risk Assessment to Prioritize Security Tasks and Processes," a new report posted this week on Dark Reading's Risk Management Tech Center.]

Information security practitioners are in an increasingly difficult position in most enterprises for several reasons. For one thing, changes in how enterprises adopt, deploy and use technology have raised the complexity bar for the environments that practitioners are charged with defending.

For example, virtualization, cloud and mobile technologies have expanded the footprint of technology in the enterprise -- and along with it the security practitioner's scope of responsibility. At the same time, the number of compromise methods is increasing: Attackers have become more sophisticated, there are more of them, and they espouse a variety of motivations.

Given all of this, it's clear why the remit of security practitioners is more challenging than it used to be. But despite the rise in environmental complexity, spending is relatively stagnant. For example, the most recent Global State of Information Security Survey from PricewaterhouseCoopers shows that fewer than half of the organizations surveyed expect information security budgets to increase. This is why prioritization is so important in a security context -- not only does security investment need to stretch further, there's less room for error when the stretching occurs.

This question of prioritization then becomes one of the key elements (not to mention benefits) of formalized risk management techniques. For organizations that aren't using formalized risk management methods, prioritization is an acutely felt pain point.

But even for organizations that have employed these techniques, technical prioritization often requires further analysis in order for them to be effectively put into practice. In other words, risk management efforts performed at a high level might fail to take into account the specifics of the technical environment, leaving room for interpretation or further prioritization down the line.

In any case, the art of prioritization can help enterprises master the science of security. In this Dark Reading report, we recommend how to adapt elements of risk management that address prioritization in mitigation efforts for use at the technical level. This technique isn't always easy -- and organizations must have some prerequisites in place in order to leverage it fully -- but it is a necessity for security to perform optimally. It's no longer possible to defend everything equally, so focusing on specific, strategic areas of concern is a must.

At a high level, the risk management process can be thought of as iterative, encompassing a number of key steps. These include:

• Identify: The process of determining the possible risks that a given organization might have

• Assess: Determining the degree to which the organization is susceptible

• Mitigate: The process of treating risks -- for example, by avoiding, remediating, transferring or accepting the risk (that is, determining that the risk cannot be practically or practicably offset)

• Monitor: Keeping track of the risk over time to ensure that it doesn't increase, to determine if it's exploited and to inform future decision-making if it's obviated.

To learn more about the process of risk assessment -- and how to translate the results into a prioritized action list -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio