How to Ensure That Your Risk Management Strategy is Complete

Many companies embark on their risk management strategies from a single perspective, and do little more than put automated tools in place that will monitor activities for patterns and trends, and alert appropriate personnel when an abnormal or out of the ordinary event occurs. 

However, risk management is not nearly that simple.  Related strategies are complex and multi-faceted.  Even the slightest oversight can put sensitive or confidential data in jeopardy – and result in stiff monetary penalties or negative impact to the company’s image and reputation.  So, in order to ensure optimum security of their IT infrastructure, organizations must make their risk management initiatives as comprehensive as possible. 

A truly complete risk management strategy must include the following steps:

• Risk assessment.  Identify all probable threats, and prioritize them based on their likelihood and their potential impact.
• Asset audit.  Build a list of all information assets, including databases, applications, files, and other sources that contain data that may subject to breach.  Carefully evaluate each, and assess their vulnerability to an attack.
• Process definition. Create and document the procedures for the ongoing monitoring and analysis of all software, hardware, and virtual information assets.  These defined activities must be readily accessible to and clearly understandable by all key stakeholders.  They must also be strictly enforced, with specific penalties outlined for those who put information at risk by failing to adhere to written guidelines. 
• Tool selection.  Determine what types of technology solutions may be needed, and evaluate and select a suite of automated tools to assist in the monitoring and alerting process. 
• Incident response.  Define step-by-step workflows for responding to and investigating (when needed) a potential breach.  This must not only include a list of all required tasks and activities, but rigid timelines for executing them. 
• Assignment of resources.  Determine who will be responsible for the various aspects of risk management, and clearly highlight the roles and responsibilities of each key stakeholder.  Be sure to define a chain of command, as well as a contingency or succession plan to minimize disruption to risk management when assigned resources are unavailable, or when they leave the company. 

The last, and perhaps most important, step is ongoing enhancement.  Continuously test and evaluate the various components of the strategy, including tools and technologies being utilized, and make refinements as needed.  This is particularly important after the detection of a breach event, when a post-response de-brief can help facilitate the creation of best practices (for those processes that proved to be effective) and result in lessons learned (for those procedures that did not work). 

Leveraging the NIST Framework for Effective Risk Management

Risk management has become a key priority for many companies.  Yet, few really understand what a comprehensive risk management strategy entails, or how to effectively implement one across their entire enterprise. 

That’s why many businesses are turning to the National Institute of Standards and Technology (NIST) for guidance.  NIST has designed a methodology for implementing comprehensive and consistent risk management guidelines and processes throughout the federal government.  The goal is to maximize protection of classified information contained within IT systems and services by ensuring that common tools, solutions, and procedures are deployed and utilized among all agencies.  At the same time, the NIST methodology strives to create a secure technology environment, without hindering the needed information sharing between federal, state, and local offices. 

Because it is so comprehensive, corporations are seeking to leverage this framework for their own risk management purposes.  For example, the NIST approach has already taken into consideration all the factors that have put information systems at greater risk than ever before, including:

• The growing complexity of IT architectures
• The increased sophistication of cyber criminals
• The rising number of “virtual” assets that need to be protected
• The need to balance security with real-time collaboration and data access and sharing requirements

Additionally, the NIST technique utilizes a phased approach to risk management that can act as a guide to other companies, helping them take the needed steps to implement true, enterprise-wide risk management, such as:

• Defining and measure existing risks
• Prioritizing threats based on likelihood, extend of potential damage, and acceptability
• Identifying those staff members who will be responsible for risk management, and outlining their roles
• Selecting, purchasing, and deploying the needed tools
• Configuring all systems, databases, and services for maximum protection
• Setting, documenting and enforcing security monitoring procedures
• Creating response processes to be executed in the event of a breach
• Conducting ongoing auditing and analysis of current procedures, and continuous refinement as needed

And, because NIST created their recommendations to address broad, nationwide security requirements, as well as the needs of various individual federal agencies, they offer maximum flexibility.  This is particularly important for large, global organizations that need to standardize its risk management activities, while allowing each department, office, or business unit to adjust techniques as needed to satisfy unique security requirements. 

Risk management initiatives require a tremendous amount of time and resources.  So, instead of starting from scratch, companies should look to NIST, and use their existing framework as the basis for their projects.  This will accelerate the development and implementation of risk management strategies, while ensuring success through the use of proven techniques and methodologies.

Log Management: What Is It And How Does It Facilitate Security?

As companies across all industries continue to seek out innovative ways to protect themselves from fraud and security breaches, the use of log management is emerging as a highly effective protection technique.  A log is a comprehensive register of all computer actions and events – every application, regardless of its type or purpose, generates one.  The data contained in these logs can provide valuable insight into what is occurring in a company’s back-end systems and networks, helping them to rapidly identify potential security issues.

Log management is a rigid business discipline that utilizes a combination of hardware, software, networks, and media to facilitate the ongoing generation, collection, transmission, storage, analysis, and disposal of log data.  With log management, companies can obtain a complete, accurate, and verifiable view of computer activity-related information from across their enterprise.

Log management is essential to ensuring that security records are utilized and maintained in the most effective manner possible. With a comprehensive log management strategy, companies can:

• Understand how users access and navigate various computer systems
• Gain insight into patterns and trends in user activity, and instantly uncover any variations that may be of concern
• Minimize losses by swiftly detecting and responding to breaches as soon as they happen
• Proactively prohibit breaches by understanding how they occur, and putting preventative measures in place
• Facilitate compliance with industry and regulatory requirements pertaining to data management and protection

Implementing a log management strategy should be of the utmost importance for companies who are highly prone to security breaches such as banks, credit card companies, etc.  These businesses should begin developing their plan by:

• Identifying which system logs are the most critical.  Many experts recommend monitoring the logs of firewalls, anti-virus software, and VPNs, as well as any transactional applications that store confidential data.
• Creating clear, well-defined log management policies.
• Outlining the roles and responsibilities of those who will oversee the initiative. 
• Deploying the needed infrastructure to support log management efforts.

But, perhaps the most critical component of log management is log analysis.  In order for log management to be most successful, and to provide the greatest proactive protection against security breaches, the continuous flow of data generated by system logs must be reviewed and analyzed frequently.  This will enable immediate identification of unauthorized access, policy violations, or fraudulent transactions.

In future posts, I will address how log management enables compliance with specific legislation, such as PCI, HIPAA, and SOX, and highlight tips and best practices in log management.