Analytics // Security Monitoring
10/23/2013
09:19 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Using Risk Assessment To Prioritize Security Tasks And Processes

Prioritizing security tasks based on real risk measurements can be tough. Here's some advice to get you started

[The following is excerpted from "Using Risk Assessment to Prioritize Security Tasks and Processes," a new report posted this week on Dark Reading's Risk Management Tech Center.]

Information security practitioners are in an increasingly difficult position in most enterprises for several reasons. For one thing, changes in how enterprises adopt, deploy and use technology have raised the complexity bar for the environments that practitioners are charged with defending.

For example, virtualization, cloud and mobile technologies have expanded the footprint of technology in the enterprise -- and along with it the security practitioner's scope of responsibility. At the same time, the number of compromise methods is increasing: Attackers have become more sophisticated, there are more of them, and they espouse a variety of motivations.

Given all of this, it's clear why the remit of security practitioners is more challenging than it used to be. But despite the rise in environmental complexity, spending is relatively stagnant. For example, the most recent Global State of Information Security Survey from PricewaterhouseCoopers shows that fewer than half of the organizations surveyed expect information security budgets to increase. This is why prioritization is so important in a security context -- not only does security investment need to stretch further, there's less room for error when the stretching occurs.

This question of prioritization then becomes one of the key elements (not to mention benefits) of formalized risk management techniques. For organizations that aren't using formalized risk management methods, prioritization is an acutely felt pain point.

But even for organizations that have employed these techniques, technical prioritization often requires further analysis in order for them to be effectively put into practice. In other words, risk management efforts performed at a high level might fail to take into account the specifics of the technical environment, leaving room for interpretation or further prioritization down the line.

In any case, the art of prioritization can help enterprises master the science of security. In this Dark Reading report, we recommend how to adapt elements of risk management that address prioritization in mitigation efforts for use at the technical level. This technique isn't always easy -- and organizations must have some prerequisites in place in order to leverage it fully -- but it is a necessity for security to perform optimally. It's no longer possible to defend everything equally, so focusing on specific, strategic areas of concern is a must.

At a high level, the risk management process can be thought of as iterative, encompassing a number of key steps. These include:

• Identify: The process of determining the possible risks that a given organization might have

• Assess: Determining the degree to which the organization is susceptible

• Mitigate: The process of treating risks -- for example, by avoiding, remediating, transferring or accepting the risk (that is, determining that the risk cannot be practically or practicably offset)

• Monitor: Keeping track of the risk over time to ensure that it doesn't increase, to determine if it's exploited and to inform future decision-making if it's obviated.

To learn more about the process of risk assessment -- and how to translate the results into a prioritized action list -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.