inSync Computer Solutions:
Family-owned. Family-run. Since 1994.
Risk assessment & management When businesses decide to examine the risks & choose to mitigate a risk, there are three different types of controls that can be implemented:
Our job is to design & integrate a solution that balances the company's priorities with their budget. |
 |
Mitigating risks
We may call it security but let's be realistic - once connected to the Internet, hiring employees, and purchasing IT assets - it's about mitigating the risks associated with running a business, cost-effectively. The three types of controls utilized, to mitigate risks, are:
Administrative controls which are approved written policies, procedures, standards and guidelines;
Logical controls that use software and data to monitor and control access to information and computing systems.
For example: passwords, network and host-based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
Physical controls monitor and control the environment of the work place and computing facilities. It includes monitoring and controling access to & from facilities.
An example is the doors, locks, heating/air conditioning, smoke/fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks...
Separating the network and work place into functional areas are also considered physical controls.
Security risks & risk management
Multi-tiered Security
The CISA Review Manual provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."
The process of risk management is an ongoing process. The countermeasures, or controls, used to manage risks must strike a balance between productivity, cost, effectiveness, and the value of the asset being protected.
For most small businesses, to protect and secure IT assets, our recommendation could be as simple as a robust firewall & backup solution, offsite backup, current anvirus/mail security, an uninterrupted power supply, good password conventions, and a server with hard drive redundancy, a current operating system and keeping up-to-date with the patches.
For the majority of our clients, which are small businesses, this solution has successfully protected our clients.
However, for our more sophisticated, enterprise clients, this is not sufficient. For these clients, we perform a risk assessment with assistance from our client's staff that are knowledgeable about specific areas of the business. The client's participating staff may vary as different parts of the business are assessed.
As part of our risk assessment, the following items may be included, depending upon the client's needs:
- security policy,
- organization of information security,
- human resources security,
- physical and environmental security,
- communications and operations management,
- access control,
- information systems acquisition, development and maintenance,
- information security incident management,
- business continuity management, and
- regulatory compliance.
For any given risk, our client makes the decision to either:
- Accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business.
- Or to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk.
For more information about our process to mitigate security risks, and a cost-effective business continuity assessment, please contact us at (888) 638-6211.
Security>Home
How may we help you?
(888) 638-6211
Work Hard. Play Hard. Worry Less. inSync.
