Safeguards applied to reduce risk to an acceptable level based on financial evaluation of value of resource, cost of loss, size of threat, likelihood of vulnerability
appropriately installed & maintained
easy to use
difficult to bypass
interoperable with other security
Both proactive/protective and reactive/detective needed: protecting info before an incident or when incident is detected.
consistent across platforms (devices), OS, locations,
comprehensive so every system provides same level of protection
cost-effective so amount of protection reflects value of info
Methods: avoidance, transference, mitigation, acceptance.
Avoidance: proactive, prevent incidents from occurring. preferred method.
reduce threats (PR to cyberactivists)
remove vulnerabilities: patching, least privileges
adding safeguards: more identification & authentication
Can not avoid all risk, so:
Transference: shift risk to other organizations (eg. insurance hacker policy or outsourced network, security, data center)
Limit loss to predefined predictable amount.
Can not avoid and transfer all risk, so:
Mitigation: minimize impact of incident: rapid response & reinstatement of services. Security incident & disaster response plans.
reduce scope of damage by compartmentalizing system, minimizing interaction amoung systems, reduce unverified trust.
improve detection so that incidents detected rapidly and not undiscovered
Acceptance: ignore small risks