Risk Controls in IA Zachary Rensko COSC 481 Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE Definition A risk control is any device or practice designed to prevent, reduce, or redirect risk. Risk Controls are differentiated from one and another by the risk control strategy they follow and by the risk control category they are in. Risk Control Strategies In order to choose a risk control you must first choose a risk control strategy to follow. A risk control strategy is the basic principle behind a risk control. There are four different types of risk controls. Acceptance Acceptance is really the absence of a risk control strategy. To accept risk is to not take any action to prevent, reduce, or redirect risk. This is typically the worst choice of risk control strategies. Acceptance should only be considered when the potential cost of a risk is far less than the cost of implementing the cheapest applicable risk control strategy. Mitigation Mitigation is the process of lessening the damage done by an exploited vulnerability when it occurs. The key element of mitigation is the ability to detect and respond to an exploit when it occurs. Once an exploit has been detected the use of either an incident response plan, disaster recovery plan, or business continuity plan, must be implemented in order to mitigate the risk. Transference Transference seeks to shift the risk involved from one area to another. The two main ways to do this are through insurance and outsourcing. Avoidance Avoidance is the most common and often the best risk control strategy to use. It seeks to prevent the exploitation of vulnerabilities. Avoidance can be achieved through the application of policy, training and education, by countering threats, or through the implementation of technical safeguards and controls. Risk Control Categories After the appropriate risk control strategy has been selected a risk control can be selected based upon its category. There are four basic risk control categories; control function, architectural layer, strategy layer, and information security principle. Control Function The control function category refers to the purpose behind the risk control. There are two basic subcategories to control function; preventative and detective controls. Preventative controls are often a digital enforcement of organizational policies. Detective controls are technical devices, such as an IDS, that alert a system administrator to exploits. Architectural Layer This category refers to the architectural layer the control operates in (i.e. the application layer). Controls in this category can exist in multiple architectural layers, such as password policies. Strategy Layer Controls that are categorized by the strategy layer are defined by what risk control strategy they use. For example; using insurance on a critical system component can be classified in the transference strategic layer. Information Security Principle This category means that the control is defined by the information security principle it is focused on. The information security principles are; confidentiality, integrity, availability, authentication, authorization, accountability, and privacy. Exceptional Risk Controls There are two notable examples of risk controls that should be looked at more closely. The first is the Human Firewall Project. The second is the OCTAVE method. The Human Firewall Project The Human Firewall Project is an initiative started by the Human Firewall Council in order to promote information security through the use of policy. The basic idea of this project is that if proper policy is enforced, an organization’s personnel can act as a very effective firewall that is not susceptible to digital attack, such as viruses and denial of service attacks. This project follows the avoidance risk control strategy and can be categorized as a preventative control function. The Human Firewall Project There are eight essential steps for an organization to undergo in order to establish a human firewall. The first step is for upper management to consider the effectiveness of their policy across the organization, whether their employees would know if a security violation occurred, and would the same employees know what to do if a violation occurred. Human Firewall Project The second step is to establish and delegate roles and responsibilities in information security. Next, create a plan for information security along with a budget. Then, develop or update information security policies. Fifth, establish an organization-wide security awareness and education program. The Human Firewall Sixth, measure the progress of the organization’s security awareness and education programs. Then, adapt and improve these security awareness and education programs according to the feedback previously received. Last, develop an information security incident response team and plan. OCTAVE OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. OCTAVE defines the essential components of the comprehensive systematic context-driven selfdirected information security evaluation. This means that organizations that use OCTAVE will be able to make informed information security decisions relevant to the risks associated with the different information security principles that apply to a particular asset. OCTAVE This method utilizes a three phase progression to achieve its goal. Phase one focuses on information assets and seeks to determine what threats currently exist to each of these assets, the security requirements for each asset, current protection strategy practices for these assets, and any weaknesses within the organizational policies and practices. OCTAVE Phase two focuses on identifying infrastructure vulnerabilities. This phase involves identifying key operational components of the information technology infrastructure and establishing the weaknesses found there. The final phase, phase three, focuses on the development of security strategies and plans. In this phase is completed by analyzing risks based upon findings from phases one and two. Why is OCTAVE so good? There are several reasons that the OCTAVE method is a best practice for risk control. First, OCTAVE is self directed, meaning that the organization’s personnel are involved in the decision making process. This insures that those making the decisions will have the internal knowledge of how the organization works and, thus, will be able to make better decisions than an out-sourced agency that does not have internal knowledge would make. Why is OCTAVE so good? Secondly, OCTAVE requires that an analysis team does evaluation and analyzes information. Having a small dedicated team devoted to security analysis for a specific company allows for the team to focus entirely on security. The OCTAVE method also stresses that the analysis team can add personnel to it as need. An analysis team may need more personnel if they reach an area of their security evaluation where they lack the professional knowledge require or need another view point. Why is OCTAVE so good? Last, OCTAVE utilizes a workshop-based approach. This allows participants from various organizational levels to meet in one location at a particular time to work on various tasks related to one of the three phases of OCTAVE. This will help gather information that may have been left out if only one organizational level had been considered. Summary A risk control is any device or practice that is specifically designed to prevent, reduce, or transfer risk. A risk control should be selected based upon the risk strategy it follows the risk control category it belongs in. The Human Firewall Project and OCTAVE methods are two exceptional examples of Risk Controls References Whitman, E. & Mattord, H. (2004). Management of information security. Boston: Course Technology.
© Copyright 2026 Paperzz