Is Your Risk Management Plan As Good As It Gets?
By Shawna McAlearney
Not all security incidents can be prevented, nor is it cost-effective
to try. Each control should be evaluated on its own merits prior to
implementation. Issues to consider: direct costs; training; decreased
system performance; and public perception.
To help security managers implement recommendations is the
just-released incident response guide by the National Institute of
Standards and Technology (NIST) that places emphasis on being
prepared for various security breaches.
The guide's suggestions management controls that focus on compliance
with the information protection policy, guidelines and standards to
manage and reduce the risk of loss and protect an organization's
mission. Detection controls warn of violations or attempted
violations of security policy and include audit trails, intrusion
detection methods and checksums. Recovery controls can be used to
restore lost computing resources.
"In order to get a solid handle on all vulnerabilities, enterprises
need sound policy definition, and the ability to define secure states
for different classes of systems," said Steve Solomon, CEO of Citadel
Security, a provider of automated vulnerability remediation and
policy enforcement solutions.
To ensure cost-effective controls and to allocate resources,
organizations should conduct a cost-benefit analysis for each control
to determine which are appropriate, says NIST. Each control should be
evaluated for impact and cost of implementation, including purchase
price, reduced system performance or functionality versus increased
security, and hidden costs such as additional personnel and training,
maintenance, and the cost of implementing additional policies and
"The costs and benefits should be weighed against system and data
criticality in terms of maintaining an acceptable mission posture for
the organization," said Gary Stoneburner, an IT specialist in the
security division at NIST who coauthored the guide. Just as there is
a cost for implementing a needed control, there's a cost for not
implementing it, according to the guide.
NIST's guide also includes sample questions to ask site personnel to
gain an understanding of the operational characteristics of an
organization and a sample risk assessment report outline.
NIST says a successful risk management program is based on five key
aspects: senior management's commitment; IT's full support and
participation; the capability of the risk assessment team to identify
mission risks and provide cost-effective safeguards; the awareness
and cooperation of members of users community; and an ongoing
evaluation and assessment of the IT-related mission risks.
"These are basic principles we believe should always be considered,"
Incident response guidelines: