Information Security and Risk Management

Information security has become a question of prioritization for large organizations with sophisticated security operations. The threats keep coming, systems evolve, and people want to do more over networks. How should an enterprise allocate finite security resources to get the highest return while lowering risk?

Problem: Proliferation of Risks

Security issues can result in lost income, additional expenses and fines, or the erosion of trust and IT control over time. Network monitoring tools to identify technical attack points or vulnerabilities help identify technical issues. However, people and processes can compromise technical controls through accidental or intentional misuse, putting information and networks at risk.

Solution: Security Risk Management

A comprehensive risk management approach to information security requires identification of vulnerabilities and threats that are most likely to occur, quantification of the potential harm to your business, and development of mitigation efforts to achieve an acceptable risk level. This is not simply about managing a device, pushing a rule change or correcting a patch level. It requires determining which assets to patch first, what controls to implement, whether or not patching occurred, and what effect remediation efforts will have on overall risk exposure.

• The risk management process begins with the development of a risk management narrative including a statement of acceptable risk tolerance used to determine policies and communicate decisions to stakeholders.
• The risk identification process uses real-time data to identify vulnerabilities and threats related to security technology, people, and processes.
• The application of standard assessment frameworks such as ISO 27002 and BSI 7799-2 to the risk management narrative and risk identification shows how company policies and implementation measure up to IT security best practices.
• Through risk analysis, potential threats are identified and quantified according to the likelihood of attack, the asset value to the business, the location of the asset on the network, and any legal or compliance issues related to the risk. Risk analysis helps enterprises to prioritize risks and optimize available resources.
• The response plan and risk mitigation road map prioritizes actions to reduce risk as quickly and cost effectively as possible.

Regular assessment and continuous monitoring helps ensure that mitigation has occurred, and helps identify new threats.

Improving Security ROI

As requirements and systems change, security professionals make tradeoffs to achieve an acceptable level of risk without compromising data availability, confidentiality, and integrity. An effective risk management program gives c-level executives a way to manage the evolution of their information security systems.

How VeriSign Helps

Outsourcing functions of risk management to a managed security services provider frees internal resources from highly technical, repetitive management and administration tasks to focus on strategic priorities. VeriSign® Managed Security Services (MSS) apply our people, processes, technology, and intelligence to reduce the complexity and cost of keeping pace with evolving vulnerabilities and security threats. We help you protect the confidentiality, availability, and integrity of data systems.