Foreground Security - Risk Management, Governance , Risk and Compliance Solutions

Joomla

Blog Updates

Perspective on Pentagon "Pwnage" » Last night, Daniel Kennedy posted on his blog abou...

Embrace Murphy's Law » "Anything that can go wrong will go wrong." -Murph...

Adobe Responds... Sort Of » Cross-posted from Skeptikal.org Adobe has p...

Flash Origin Attack FAQ » Cross-posted from my personal blog. Okay, p...

Flash Origin Policy Issues » Mike Murray here. Our always proficient Senior Re...

Training is for Puppies (Or: Security Awareness Fa... » I recently spoke at the SecureWorld Expo event in ...

Whitepaper: Cross-subdomain Cookie Attacks » I did a talk at Toorcon last weekend on exploiting...

It is Gar*ner’s World and We Are Just Lucky to Liv... » As many of my colleagues know I have wanted to wri...

Browser Security Tools: RequestPolicy » I spoke about CSRF attacks at Defcon a few months ...

The Second False Positive » When I was at Hacker Halted recently, I watched a ...

Friday, 12 March 2010

Risk Management and GRC

Risk management is the total process of identifying, measuring, and minimizing uncertain events affecting resources. A primary feature of risk management is the classifying the security bearing (i.e., threats and vulnerabilities) of the system, and stating the characteristics of the operational environment from a security perspective. The primary objective of risk management is to identify specific areas where safeguards are needed against deliberate or inadvertent unauthorized disclosure, modification of information, denial of service, and unauthorized use. Countermeasures can then be applied in those areas to eliminate or adequately reduce the identified risk. The results of this activity provide critical information to making an accreditation decision.

Risk management may comprise risk analysis, cost-benefit analysis, countermeasure selection,
security test and evaluation (ST&E), countermeasure implementation, penetration testing, and
systems review. Other federal departments and agencies have similar policy documents that should be referenced for guidance.

Risk analysis minimizes risk by specifying security measures adequate with the relative
values of the resources to be protected, the vulnerabilities of those resources, and the identified threats against them. Risk analysis should be applied iteratively during the system life cycle. When applied to system design, a risk analysis aids in countermeasure specification. When applied during the implementation phase or to an operational system, it can verify the effectiveness of existing countermeasures and identify areas in which additional measures are needed to achieve the desired level of security. There are numerous risk analysis methodologies and some automated tools available to support them.

Management commitment to a comprehensive risk management program must be defined as early as possible in the program life cycle. In scheduling risk management activities and designating resources, careful consideration should be given to C&A goals and milestones. Associated risks can then be assessed and corrective action considered for risks that are unacceptable.

More specific Risk Management and GRC services include the following:

» Policy Development and Review

» Information Security Risk Assessment

» Security Awareness Program

» Incident Response Program Development

» Certification and Accreditation

Risk Management and GRC

Security Audit and Testing

Software Assurance

Security Architecture

IT Security Training

Designed & Developed by Skysoft Incorporated