Chapter 5 Assigning Safeguards

what to protect, what to protect it from, where to put the protection, how much protection is necessary

Safeguards applied to reduce risk to an acceptable level based on financial evaluation of value of resource, cost of loss, size of threat, likelihood of vulnerability

appropriately installed & maintained
cost effective
easy to use
difficult to bypass
interoperable with other security

Both proactive/protective and reactive/detective needed: protecting info before an incident or when incident is detected.

consistent across platforms (devices), OS, locations, organizations
comprehensive so every system provides same level of protection
cost-effective so amount of protection reflects value of info

Methods: avoidance, transference, mitigation, acceptance.
Avoidance: proactive, prevent incidents from occurring. preferred method.
reduce threats (PR to cyberactivists)
remove vulnerabilities: patching, least privileges
limit access
adding safeguards: more identification & authentication

Can not avoid all risk, so:
Transference: shift risk to other organizations (eg. insurance hacker policy or outsourced network, security, data center)
Limit loss to predefined predictable amount.

Can not avoid and transfer all risk, so:
Mitigation: minimize impact of incident: rapid response & reinstatement of services. Security incident & disaster response plans.
reduce scope of damage by compartmentalizing system, minimizing interaction amoung systems, reduce unverified trust.
improve detection so that incidents detected rapidly and not undiscovered

Acceptance: ignore small risks