Risk Management Techniques applicable to Information Systems on any organization

Risk Management Techniques applicable to Information Systems on any organization


1. Techniques for Applications/Databases Risk Management

a. The browser security for all workstations should be set to medium-high. For maximum security, browser security should be set to high which blocks all malicious sites and downloads. Setting the security level to low can cause problems like unverified downloads and allowing access to known malicious sites which can cause a lot of harm.

b. An antivirus (like Kaspersky & McAfee) can be deployed locally (to avoid network lags if deployed in a domain setup). However, it should be mandatory to check updates for the antivirus regularly, and preferably on a daily basis, because antivirus definitions are updated very frequently. If not, the antivirus should be set to check for updates and update automatically with no user intervention required. The latter is better.

c. Ordinary users should be denied any privilege escalation abilities regardless of how complicated the process of escalating privileges is. This minimizes the risk in case an ordinary user’s workstation is compromised. All escalation abilities should be left to the administrator only.

d. All data, especially in transit, or at rest should be encrypted. This reduces the exposure of internal data in case of a system breach. Again, the encryption used should be a state-of-the-art encryption standard like Advanced Encryption Standard (AES) .


2. Techniques for Configuration Highlights Risk Management

a. The wireless network should use an SSID that is related to the organization. The wireless network should be of the state-of-the-art standards, that is, WPA2/WPA3 (Wi-Fi Protected Access) which employs mandatory AES encryption. For better wireless security, WPA2 Enterprise can be used. Also, the password should be changed after a short while, probably weekly to prevent Spoofing attempts and Rogue Access Points attacks’ success.

b. The wireless network should separated from the main Local Area Network (LAN) to enhance security. It should also be segmented and placed in its own subnet, and Authentication should be used between the wireless and wired networks.

c. There should be a different wireless network for visitors, and the SSID for this network should be changed regularly (daily, if possible).

d. All network traffic should be logged. Hardware firewalls, Intrusion Detection/Prevention Systems (IDS/IPS) and network loggers should be integrated in the system to detect and prevent compromise attempts like network scanning and hacking, as well as for audits. It is a very high risk to have unmonitored networks.

e. Users should never be the ones dictating the length and complexity of their passwords as they will always make the bad choice – a simple, memorable password. The organization policy should include mandatory lengths (preferably a concatenation of phrases), of at least 8 characters, a combination of upper and lower case characters, special symbols and numbers. These passwords should be set in the policy to expire automatically after one month. Also, the passwords should never be reused.


2. Techniques for Documentation, Personnel/Physical Security, and Incident Response Risk Management

a. Documentation is one of the most important aspect of policies, procedures, guidelines, practices and organization culture. If possible, every single policy, procedure, guideline and practice should be documented. Therefore, physical/personnel security policies should be defined unambiguously and properly documented. This applies to computer use policies and practices as well as any simple or complex system change.

b. A clear contingency plan should be formulated and fully documented to ensure Business Continuity in case of any emergency. These contingency plans should be fully tested and drills conducted at least once every year.

c. Users should be trained on security issues. A policy should exist such that all new employees go through mandatory security training. As advances and developments in technology are made, so should the knowledge given to employees. Training should be regularly planned for and information security awareness should be made part of the performance evaluation test.

d. It is good practice to always use VPNs (Virtual Private Networks) in remote communications to avoid eavesdropping and interceptions of data and information in transit. Machines used in remote communication and operations should have fully encrypted disks, and should be configured differently from workstations in the main offices to minimize the risk of too much exposure if either are compromised. Policies to have different but equally efficient systems should be documented.

e. All incidents, minor or major, should be reported. A process to log and report incidents should be clearly documented, regardless of if any incident has ever occurred. History of incidents can be important in making crucial business decisions. For incidents, ITIL (Information Technology Infrastructure Library) practices can be employed. The plan for incidents reporting and logging should include corrective measures for returning to normal operation after incidents. Internationally accepted standards can be used to formulate incident response plans.


Risk Management Techniques applicable to Information Systems on any organization
Wiki | thetqweb