1 hour 39 minutes
This is risk management information technology. In our previous lessons, we discuss risk assessment processes.
Now we'll be discussing different risks responses. Management can use address the risk.
This lesson is about risk mitigation.
We will be discussing different risk mitigation scenarios and different examples on how this is done, depending on the risk level.
Risk mitigation is the most common way of handling risk.
Management decides on what to implement as safeguards or countermeasures to handle the threat.
It is also the most cost restrictive solution,
meaning that the cost of the solution will determine whether management will apply the countermeasure or safeguard or not.
With that in mind, let's talk about scenarios on how risk mitigation can be done in a small risk environment, a medium risk environment or an enterprise setting.
The risk is determined as low if there is no significant loss when the trenches realized
a medium sized risk is where there is substantial loss. What the threat is realized.
Enterprise level risk is geared towards large sized businesses with 50 employees or more.
Let's start by talking about this scenario. Our businesses hiring temporary contractors for development.
We hired a company to requested their team of developers logging on to the network as part of the contract and will be assigned user access to the database and servers.
The developers are requesting direct administrator access to the surface and databases.
The developers were coming and out of the office and use their own laptops.
In our environment. There is no formal password enforcement.
Active directory is available, but only for centralized server logins. For most servers.
A lot of the service are still off the domain, mostly development and test service for ease of development.
Database access is accessible to all users and have no restrictions.
Laptops used by developers are not monitored scanned and potentially used at home.
Pastors between servers do not follow any policy
for this scenario. Using low mitigation solutions, we identified mitigating controls for risk involved
for laptop insecurity. We can request that the developers install anti fires and malware detection software as well as probiotic updates
for universal database access. We can restrict the database to do the only appropriate users and enforce the use of of managed database account for production access.
We can improve password security by enforcing complex passwords and create an 80 group with rights restricted to the service acquiring access.
In immediate risk scenario,
we had a few more controls, such as preventing use of external laptops and providing in house devices with domain membership, batch management,
antivirus and malware detection
to mitigate database concerns, we had test database instances with test data restrict access to production database for only authorized users and user managed database account for production access.
We can also enforce documentation for development and co delivery
and forcing a more stricter password policies also recommended.
And of course the same restrictions to service
To the members of the 80 group
for Enterprise risk mitigation.
We take the media risk controls and elevate them further.
We can restrict installation for unauthorized software from regular users and infrastructure controls for installation and laptop management.
We can create two other different database synthesis with test data and force used to manage database account for production access.
We can also enforce the control where debates are the only ones who have access to implement production changes, along with change management control and track changes in the center repository.
We can also include back out the rollback plans. If the deployment fails,
Passenger rules can be improved by adding a 45 day password expiration and enforce its all users in the network
for the server admin access, we can enforce a separate elevated account instead of allowing the same accounts that users use on their workstations,
as you can see as you add more controls for risk mitigation. So does the cost of implementation
adding? Devious become expensive as we add more instances and databases
Managing the axis of machines and rights of users become exponentially expensive as we manage a 10,000 employee enterprise with adding or removing hundreds of users a day,
providing laptops and workstations and servers
and managing the security and patches on these devices and servers will require full time staff.
Let's do a quick quiz.
Which of the following is natural about risk mitigation.
Is it a it's the most common way of handling risk
be? It involves implementation of safeguards and countermeasures.
See it is the most cost restrictive solution
or D A transfers risk to a third party
and the answer is d
Risk mitigation does not transfer risk to a 3rd party.
we talked about risk mitigation,
they talked about being a cost restrictive solution, and we discussed different risk mitigations. In our examples,
this is instructor robert Ghana.
Certified Information Security Manager (CISM)
A CISM certification shows you have an all-around technical competence and an understanding of the ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered