PACE-IT, Security+ 2.3: Risk Mitigation Strategies

Risk mitigation strategies.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3


– The why of taking risks.

– Strategies for mitigating risk.

PACE-IT.

Page 4

The why of taking risks.Risk mitigation strategies.

Page 5

It seems to be a law of nature, inflexible and inexorable, that those who will not risk cannot win.

– John Paul Jones

Page 6

The why of taking risks.

In the marketplace, there is no reward without taking on the risk of failure.

This brings up an interesting quandary. Investors will often reward risk by increasing the value of a company. On the other hand, failure due to risk taking often leads to changes in management.Management will often take on risk to gain the rewards, while, at the same time, implementing strategies to mitigate the amount of risk that it is willing to assume.


Page 7

Strategies for mitigating risk.Risk mitigation strategies.

Page 8

Strategies for mitigating risk.

– Change management (CM).» All change represents a risk to systems—a small

change in one system may have a ripple effect that multiplies through the whole system.

• CM is implemented in order to evaluate changes for their effects on the system as a whole.

• CM allows for changes to occur, while, at the same time, mitigating the risks associated with those changes.

– Review of user rights and user permissions.

» Users must be granted rights and permissions in order to function in their positions. These rights and permissions may, in fact, represent a security risk.

• Periodic reviews should be conducted on user rights and permissions to ensure that the principle of least privilege is being followed—thus mitigating risk.

• Periodic reviews should be conducted on user rights and permissions to ensure that unnecessary user accounts are removed from the system—also mitigating risk.


Page 9


– Perform routine audits.» Audits (reviews) of systems should be conducted on a

regular basis in order to reduce risks.• Security audits can be conducted on many different

systems to evaluate different aspects of risk, including system configurations and vulnerability assessments.

– Incident management.» A type of after-the-fact mitigation technique.

• After a security incident has occurred, effective incident management can help to contain the damage.

• After a security incident has occurred, effective incident management can help to prevent it from occurring again.

– Enforcing policies and procedures.» Effective policies and procedures can reduce the

chances of a risk event from ever taking place.• Proper enforcement of policies and procedures can

help to prevent the loss or theft of data.


Page 10


Data loss prevention (DLP) systems can be implemented as a type of technology control to mitigate the risk of loss or theft of data.

DLP systems can be a software application or network appliance. They are designed to analyze information traversing the network to help ensure that sensitive data remains contained inside the established safe boundaries.DLP systems can monitor network links and review what is being transmitted through protocols associated with instant messaging, email, FTP, HTTP, etc. DLP systems may also be configured to scan storage systems to help ensure that data is being stored in the proper locations.


Page 11

What was covered.Risk mitigation strategies.

John Paul Jones once said, “It seems to be a law of nature, inflexible and inexorable, that those who will not risk cannot win.” There is no reward in the marketplace without taking risks. Investors reward risk, while, at the same time, punishing failure. Management often takes on risk, while, at the same time, implementing strategies to mitigate risk and the effects of risk.

Topic

The why of taking risks.

Summary

Any change in a system represents a risk. CM is a mitigation strategy to reduce the risks associated with changes to systems. Periodic reviews of users rights and privileges can also mitigate risk. Security audits should be performed to reduce risks to systems and data. Effective incident management can restrict the damage that a risk event causes and help to prevent that event from occurring again. Properly enforcing policies and procedures can help to prevent the loss or theft of data. DLP systems can also be put in place to help prevent the loss or theft of sensitive data.


Page 12

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.