May 13 2011

Enterprise Risk Management: From Incentives to Controls

Category: Security Risk AssessmentDISC @ 12:03 pm

Enterprise Risk Management: From Incentives to Controls

Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.

But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.

In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.

Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.

Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.

Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.

Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.

Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.

Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Don’t let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.

Here are the contents of the book.

Authors: James Lam
Publisher: John Wiley
ISBN 10: 0471430005
ISBN 13: 9780471430001
Pages: 336
Format: Hard Cover
Published Date: 24/06/03

“I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”

Tags: Enterprise Risk Management, Risk Assessment, Security Risk Assessment, security risk assessment process

Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk AssessmentDISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
Preventive controls reduce exposure. Firewall is an example of preventive control
Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process