Information Security Risk Control Strategies

All companies are vulnerable to attacks on their data if they have any networks that are exposed outside of their company.  Even if networks are only internal, a company is still at risk of an internal attack from an employee who wants to gain by the attack or is possibly disgruntled at the company.

There are many strategies that a company can take to mitigate risk to assets.  Some companies are required by law to protect their assets such as financial institutions and medical practices.  There are many regulations that have to be complied with in terms of protecting personal information of customers and patients of these organizations.  In that case, defense is the only option for these businesses.

The following are five strategies that can be used in information asset risk control in an organization (Whitman 2014): 

• Defense:  Defense is when additional safeguards are implemented to eliminate or reduce risk that is not being controlled.
• Transferal:  Having the risk transferred to outside organizations or areas to handle the risk.
• Mitigation:  Decrease the impacts of a successful attack on assets.
• Acceptance:  Do nothing but document that the risk is not being controlled and that the risk is being accepted.
• Termination:  Completely remove the asset from the organization.

Another viewpoint on risk control strategies indicated the following four strategies (Gillette n.d.):

• Avoidance:
• The most popular strategy
• Tries to avoid risks and threats completely
• Countering threats
• Remove assets that are vulnerable
• Limit who can access the asset
• Add safeguards to protect asset
• Methods to avoid risk
• Policy
• Training
• Technology
• Transference: 
• Move the risk to other assets, processes, or organizations
• Transfer risk through the following methods:
• Reengineering services
• Changing development methodologies
• Outsourcing
• Advantages:  Leverage another company’s expertise & allow the primary company to concentrate on what they know
• Disadvantages:  Costs are likely to be high and the contracts can be very complex to keep both companies safe from liability
• Larger organizations are more likely to use this method

• Migration: 
• Limit the impacts that would happen if an asset was successfully attacked
• Use planning and preparation to reduce the impacts
• Planning includes:  disaster recovery plan, incident response plan, and business continuity plan
• Early detection is key to limiting risks

• Acceptance: 
• Do nothing and accept the results of any attacks
• This method requires determine how much risk there is, what the likelihood of an attack is, how much harm would an attack cause, how feasible would it be to add additional controls, what is the cost benefit of adding controls to prevent an attack, and are measures to prevent an attack justifiable.

How a risk is handled is largely up to an organization.  An organization that is governed by regulations can chose not to mitigate their risks in an appropriate fashion but they can face penalties and fines if they are out of compliance.  If an employee of a company that is governed by regulations willfully disregards the laws, they could face fines, termination, or even jail time.

Reference:

• Gillette, W. (n.d.).  Risk Control Strategies And Physical Security.  Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&sqi=2&ved=0CDgQFjAB&url=http%3A%2F%2Fwww.cs.uwlax.edu%2F~riley%2FCS419%2FRiskControl.ppt&ei=k9JKVJvuEsr-8AHSmYH4Aw&usg=AFQjCNF2pMwz8zCK_L0_NxbDx-Ca6KFIGw&sig2=qg5bE4b6H3aix0_-dupP_w
• Whitman, M. and Mattord, H. Management of Information Security, 4^th edition. 2014, 2010 Cengage Learning