1 hour 39 minutes
This is risk management information technology.
In our previous lesson, we discuss risk mitigation as part of risk banishment.
This lesson is about risk avoidance.
We will be discussing different risk avoidance scenarios and different examples of how this is done depending on the risk level.
Risk avoidance is a practical but business restrictive solution.
This is because avoiding the risk at scale can be impractical.
This is also a form of risk mitigation by removing the track itself by eliminating processes, procedures and resources to remove the trap.
With that in mind. Let's talk about scenarios on how risk avoidance can be done in a small risk environment, a medium risk environment or an enterprise setting.
The risk is determined as low if there is no significant loss when the threat is realized.
A medium sized risk is where there is substantial loss when the threat is realized.
Enterprise level risks are geared towards large size businesses with 50 employees or more.
Here is one risk avoidance scenario
RCO Read that FTP is insecure of a webinar he attended.
He requests the team to remove FTP access and usage across the company and any third party vendors.
The problem is a lot of these scripts have already been developed through the years and reliable.
And then moving towards another solution will take
retraining and new servers
with low risk avoidance. We can remove FTP from not necessary machines centralized FTp to a few servers and restrict access to the service by 80 group or some other mechanism.
Another control that can be used to upgrade
the built in FTP server to a vendor based FTP solution. Let me require purchase and schedule regular patches on the server and FTP software
with medium risk avoidance. We can remove FTp from unnecessary machines
Centrally Safety. P two, a few servers and restrict access to the service by A. D. Group.
And under control can be to upgrade scripts from FTp. SCP,
which is encrypted and more secure.
We could catch a regular patches on the server and CP software as well.
Would enterprise risk avoidance? We can prevent use of FTP via firewalls or network filtering.
We can then centralize the use of SCP her F D P. S. The few servers
then restrict access to the servers by 80 group and allow only service account access to the SCP or FTP s servers.
Another control that can be used is to upgrade the scripts that use of properly secured and configured file transfer service.
This can be some online service like tumbleweed box, dropbox or s. three.
We can schedule regular patches on the server and SCP software.
Another layer of control can be restricting access and separating shares for DEV test and production.
Here's another risk avoidance scenario. Our lead developer decided that job is no longer a viable solution.
She contends that upgrade process had become too cumbersome and the patches have been harder to manage.
She then requested the team to move forward to relatively
more supportive programming language such as C Sharp, which are Microsoft dot net, the solution and it's java compatible
with low risk avoidance, we can migrate a code and recompile using C Sharp, which is a java like language or any in your programming language such as python or go
we can deploy and test the code or software, refer migrating this to production
under million risk avoidance. We can migrate to code and recompile using C. Sharp or any neural programming language.
We can deploy and test the code or software.
We can also conduct a peer review which is reviewing with another pair of eyes to take a look at the logic before migrating this code production
under enterprise risk avoidance.
We can migrate the code and recompile. He's in C. Sharp and in your programming language
we can deploy and test occurred in a QA environment with production like data.
We can then perform a code review
and checking the code into the repository
with enterprises. Change the requests are required for coordinating changes that are approved by the change committee, then share no change effects and other change going on in the environment.
Change controls are also required
to have a specific date and time to deploy as well as rollback procedures. If the deployment has issues,
time for a quick quiz,
true or false.
Risk avoidance is a formal risk mitigation,
true or false
and the answer is true.
Risk avoidance is indeed a form of risk mitigation.
An example scenario the first migration to Ssh is a part of
a low risk avoidance.
Be media risk avoidance or C enterprise risk avoidance,
and the answer is B
the first migration to Ssh is a part of media risk avoidance.
An example scenario I change requests are part of a
low risk avoidance,
medium risk avoidance or C enterprise risk avoidance.
And the answer is C I. Change request as part of enterprise risk avoidance.
we discuss risk avoidance,
which is a process and business restricting solution
as well as different risk avoidance, example scenarios and solutions.
This is instructor robert Ghana.
Certified Information Security Manager (CISM)
A CISM certification shows you have an all-around technical competence and an understanding of the ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered