SY0-501 Section 2.3 Given a scenario, implement appropriate risk mitigation strategies.

The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk—that is, the risk to the organization or to individuals associated with the operation of an information system. The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system- –the security controls necessary to protect individuals and the operations and assets of the organization.

Risk-Based Approach

The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize

Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select

Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement

Implement the security controls and document how the controls are deployed within the information system and environment of operation

Step 4: Assess

Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system .

Step 5: Authorize

Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor

Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.

Change management

The purpose of change management is to ensure proper procedures are followed when modifications to the IT infrastructure are made. These modifications can be prompted by a number of different reasons including new legislation, updated versions of software or hardware, implementation of new software or hardware, or improvements to the infrastructure. The term “management” implies that this process should be controlled in some systematic way, and that is indeed the purpose. Changes to the infrastructure can have a detrimental impact on operations. New versions of operating systems or application software can be incompatible with other software or hardware the organization is using. Without a process to manage the change, an organization can suddenly find itself unable to conduct business.

Incident management

‘Real World’ definition of Incident Management: IM is the way that the Service Desk puts out the ‘daily fires’.

An ‘Incident’ is any event which is not part of the standard operation of the service and which causes, or may cause, an interruption or a reduction of the quality of the service.

The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.

Inputs for Incident Management mostly come from users, but can have other sources as well like management Information or Detection Systems. The outputs of the process are RFC’s (Requests for Changes), resolved and closed Incidents, management information and communication to the customer.

Activities of the Incident Management process:

Incident detection and recording

Classification and initial support

Investigation and diagnosis

Resolution and recovery

Incident closure

Incident ownership, monitoring, tracking and communication

Perform routine audits

System administrators should fulfill a number of periodical operations which are required to ensure that the network infrastructure is running and all computer systems work fine. VIP Task Manager can facilitate planning and tracking of IT administrators’ routine tasks.

IT routine audits and maintenance tasks planning

Administrators should plan and perform daily technical checkups of hardware. These tasks are routine, so are regulated by certain procedure. VIP Task Manager is groupware product, which allows IT specialists to schedule and mark out their routine operations, and procedures, which are related to IT infrastructure maintenance and audits. For this purpose system administrator can create recurrence tasks, which should be done every day at certain time and set pop-up sound reminders for these tasks. IT specialists are able to plan their tasks by date, time and duration, set priority, order and use Scheduler (Calendar) mode to see the workloads for day, week or month.

IT routine audits and maintenance tasks tracking

The senior administrator should control the execution of routine tasks, be aware if any issues appear and keep the registration of tasks performed. The senior system administrator can plan tasks for subordinates, give instructions and control the work performance for IT system administrative team – get immediate notifications about completion of certain tasks and get acquainted with work results (reports attached to task – files, links, notes).VIP Task Manager is customizable and flexible groupware with access rights management, so each internal team (administrators, developers etc.) within IT department can work confidentially and safely and even do not know about tasks of each other, or contrary – easily share common projects.

IT routine audits and maintenance tasks reporting

With applying operating system and software updates, patches, and configuration changes, performing backups and restores, hardware monitoring and troubleshooting, system administrators should make reports and store them. Most reports are generated by special professional software and can be stored as files of different formats. After some checkup is done, the report can be attached to task, so IT specialist can easily find and open it next time. Besides system administrators can attach hyperlinks to files that are stored within the LAN in shared folder, for example user can set path to some system log that is placed on any computer within LAN and open it any time by one click on hyperlink. VIP Task Manager allows making printable reports and building charts to assess the state of work performance, to see volumes of work done and to learn IT staff performance indicators.

Enforce technology controls

CompTIA is fond of risk mitigation and confronting it through the use of routine audits that address user rights and permission reviews, change management—the structured approach that is followed to secure a company’s assets—and incident management—the steps followed when events occur (making sure controls are in place to prevent un-authorized access to, and changes of, all IT assets). Policies addressing data loss or theft need to be in place, and technology controls should be enforced.

Data loss prevention (DLP)

systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is using the data (looking for unauthorized access) and transmitting the data. DLP systems share commonality with network intrusion prevention systems.