Question

What is risk management and discuss some techniques used in information security? Think of a real-world scenario in your organization and how you would apply it.

Answer 1

Information security risk management

Information security risk management is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. The end goal of this process is to treat risks in accordance with an organization’s overall risk tolerance. Businesses shouldn’t expect to eliminate all risks; rather, they should seek to identify and achieve an acceptable risk level for their organization.

• Management implies someone proactively, deliberately, explicitly and systematically identifying, assessing, evaluating and dealing with risks on an ongoing basis (coping with any changes), along with related governance aspects such as direction, control, authorization and resourcing of the process, risk treatments etc.;
• Risk, in this context, is the potential occurrence of events or incidents that materially harm the organization’s interests;
• Information is the valuable meaning or knowledge or understanding that we derive from data such as the content of computer files, paperwork, conversations, expertise, intellectual property and so forth.

Treatment
Once a risk has been assessed and analyzed, an organization will need to select treatment options:

• Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
  Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.
• Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
  Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
• Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
  Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited. (Note: this should be used to supplement risk remediation and mitigation but not replace them altogether.)
• Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
  Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.
• Risk avoidance: Removing all exposure to an identified risk
  Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patch able servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

Techniques for protecting information

Several information security techniques may be applied to protect digital material:

Encryption

Encryption is a cryptographic technique which protects digital material by converting it into a scrambled form. Encryption may be applied at many levels, from a single file to an entire disk. Many encryption algorithms exist, each of which scramble information in a different way. These require the use of a key to unscramble the data and convert it back to its original form. The strength of the encryption method is influenced by the key size. For example, 256-bit encryption will be more secure than 128-bit encryption.

It should be noted that encryption is only effective when a third party does not have access to the encryption key in use. A user who has entered the password for an encrypted drive and left their machine powered on and unattended will provide third parties with an opportunity to access data held in the encrypted area, which may result in its release.

Similarly encryption security measures (if used) can lose their effectiveness over time in a repository: there is effectively an arms race between encryption techniques and computational methods to break them. Hence, if used, all encryption by a repository must be actively managed and updated over time to remain secure.

Encrypted digital material can only be accessed over time in a repository if the organisation manages its keys. The loss or destruction of these keys will result in data becoming inaccessible.

Access Control

Access controls allow an administrator to specify who is allowed to access digital material and the type of access that is permitted (for example read only, write). The Handbook follows the National Digital Stewardship Alliance preservation levels in recommending four levels at which digital preservation can be supported through access control.

Redaction

Redaction refers to the process of analyzing a digital resource, identifying confidential or sensitive information, and removing or replacing it. Common techniques applied include anonymization and pseudonymization to remove personally identifiable information, as well as cleaning of authorship information. When related to data sets this is usually carried out by the removal of information while retaining the structure of the record in the version being released. You should always carry out redaction on a copy of the original, never on the original itself.

The majority of digital materials created using office systems, such as Microsoft Office, are stored in proprietary, binary-encoded formats. Binary formats may contain significant information which is not displayed, and its presence may therefore not be apparent. They may incorporate change histories, audit trails, or embedded metadata, by means of which deleted information can be recovered or simple redaction processes otherwise circumvented. Digital materials may be redacted through a combination of information deletion and conversion to a different format. Certain formats, such as plain ASCII text files, contain displayable information only. Conversion to this format will therefore eliminate any information that may be hidden in non-displayable portions of a bit stream.

Create an Effective Security Risk Management Program

Defeating cyber criminals and halting internal threats is a challenging process. Bringing data integrity and availability to your enterprise risk management is essential to your employees, customers, and shareholders.

Creating your risk management process and take strategic steps to make data security a fundamental part of conducting business.

In summary, best practices include:

• Implement technology solutions to detect and eradicate threats before data is compromised.
• Establish a security office with accountability.
• Ensure compliance with security policies.
• Make data analysis a collaborative effort between IT and business stakeholders.
• Ensure alerts and reporting are meaningful and effectively routed.

Conducting a complete IT security assessment and managing enterprise risk is essential to identify vulnerability issues.

Develop a comprehensive approach to information security.