When we think of “risk” most of us think about security and our ability to mitigate it. Like all things enterprise architecture we have a tendency (like our academic friends) to want to silo things in the dual attempt to define and influence it. Security has that behavior in spades.
There are some very good security frameworks to choose from, but I am inclined to ISACA’s COBIT5, because it is comprehensive, yet simple. Click the diagram for details.
You can find an excellent/well researched Info Security Policy summary here, and for a comprehensive dive into all these bullet points navigate to the ISACA COBIT5 website and definitely get an account to navigate their knowledge centers for implementation and effective use. Now short of just unplugging your laptop or turning off your cell phone there is no “risk holy grail”, just a series of things you can do to achieve what I call competent risk mitigation:
- Keep it Simple: The more complexity you throw at a problem the more problems you will introduce.
- Security is Continuous: You must make sure that internal leadership and external clients understand that the completion of a security project (or many of them), does not mean the network will always be safe. Click here for a good executive responsibility breakdown.
- Risk Assessment: What you don’t know is killing you. A good risk assessment should identify vulnerabilities both physical and virtual. Quick fixes tend to be patch management, anti-malware, monitoring services, and (believe it or not) doing nothing at all -per Kasey Panetta at Gartner “99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” Speaking of Gartner, here is their IT Risk Assessment vendor page and the MQ for IT Risk Management.
- Centralization: This is simple, but sometimes misunderstood. Intentional or accidental access to sensitive data is lower by storing it in secured central location(s) instead of having an uncontrolled number of copies throughout the organization. Also, the rise of SIEM analytics has made centralized incident response a core service in modern security architectures.
- Security Planning: starts when all security requirements for all your existing systems have been identified. Physical security requirements need at least as much attention as logical ones, as lost and stolen equipment is still a major security issue.
- Security Strategy: An enterprise security strategy needs a layered framework to protect data. Microsoft did a very good job outlining this in their Enterprise Security best practices series- you can find it here. For summary purposes a layered approach involves the following:
✓ Enterprise Data
✓ Applications that access the data
✓ Network on which corp. hosts reside
✓ Facility(ies) hosting compute and storage
✓ Servers which the data and associated application(s) reside
✓ Perimeter separating your organization’s network from the Internet
When it comes to risk, time is never your friend. As attacks against enterprise targets from foreign intelligence agencies become the norm it makes perfect sense to get help from every law enforcement avenue you can tap. For example, a couple of years ago we had the FBI over for a note sharing session that turned into a live fire investigation quickly. When you are up against countries, you have to fight fire with fire.