INFORMATION SECURITY UNIT-3
TOP RISK CONTROL STRATEGIES IN INFORMATION SECURITY
Companies must adopt risk control strategies when securing their IT environment to identify and neutralize
potential cyberthreats before breach incidents occur. The top risk control strategies in information security
revolve around identifying and patching potential vulnerabilities, hunting for threats, and rapid incident
response should a cyber attack breach perimeter defenses.
Top Four Risk Control Strategies in Information Security
Thoroughly integrating successful risk control efforts into your information security strategic plan relies on
preemptive measures. Your security team must seek out and address cybersecurity infrastructure weak points to
prevent attacks. At the same time, they must locate threats and remain ready to respond should a vulnerability
be exploited or accidentally triggered.
The top four proactive risk control strategies in information security are:
Continuous risk scanning
Detection and response
Third party risk management
Advanced risk analytics
In addition to these preemptive practices, your information security strategy should include ongoing compliance
and patch management efforts along with predefining an incident response and recovery plan.
Watch the full webinar!
Risk Control Strategy #1: Continuous Risk Scanning
Your security team cannot watch every facet of your IT environment all the time; that’s what continuous
monitoring software and services provide. A critical aspect of your organization’s threat and vulnerability
management efforts is scanning for cybersecurity gaps that put potential attack targets at greater risk,
particularly your most valuable assets.
Your cybersecurity architecture and asset inventory must be monitored continuously to address existing
vulnerabilities and identify new ones over time. These efforts ensure that emerging cybercriminal techniques
cannot exploit them.
RSI Security’s threat and vulnerability management services include inventorying all assets within your IT
environment and conducting threat modeling, which assigns risk and designates the highest priority elements.
Continuous testing and scanning notify your security team of risky vulnerabilities so that you can deploy
patches and update configurations accordingly.
Risk Assessments
Before you begin monitoring all of your network assets, you first need to identify them along with the
likelihood of threat occurrence and resulting organizational impact. Conducting a risk assessment will
determine and document such. Risk assessments may also be required as part of your compliance efforts (e.g.,
the HIPAA Security Rule).
The National Institute of Standards and Technology (NIST) provides risk assessment guidance for developing
this foundation of your information security strategy framework in Special Publication 800-30.
Risk Control Strategy #2: Detection and Response
Responding to threats only after they reveal themselves is too late. Therefore, in addition to continuous
scanning for vulnerabilities, your security team needs to hunt for any indication of advanced persistent
threats (APT) that may evade detection.
Threat hunting combines forefront threat intelligence with iterative investigation processes to detect anomalies
in network and user activity. Some organizations employ a threat hunter as a tier-three member of their security
1
�INFORMATION SECURITY UNIT-3
operations center (SOC) team. However, one of the most significant challenges threat hunters face is
differentiating between real threats and false positives. Misidentification can waste valuable time and resources.
An alternative to a full-time threat hunter is partnering with a managed security services provider (MSSP) to
enhance your security team’s knowledge and capabilities. Managed detection and response services seek out
threat indicators, investigate them, initiate response plans, and conduct root cause analysis to prevent recurring
incidents.
Risk Control Strategy #3: Third Party Risk Management
The risk your organization faces extends beyond your own IT environment. Especially with the proliferation of
cloud service integrations, organizations must be mindful of the risks posed by partners connected to their
network. Your partners’ ability to contend with the same threat challenges you face places your cybersecurity’s
efficacy at stake. Additionally, your regulatory compliance may depend on a third party’s cybersecurity and
data protection efforts.
Third party risk management requires vendor-focused risk assessments and visibility to determine how
partners’ potential vulnerabilities become your own—and which efforts neutralize them.
Risk Control Strategy #4: Advanced Risk Analytics
The best preparation for managing threats is simulating real attacks that identify vulnerabilities to address and
train your security team on appropriate response tactics. The advanced analytic data collected from test results
provides an insightful roadmap of potential entry points, gaps, and misconfigurations for your security team to
address.
Penetration testing achieves precisely that with pen-testers evaluating your cybersecurity infrastructure to
determine potential attack vectors. Penetration tests can follow white, grey, or black box methods that provide
testers with varying levels of environmental insight.
Your organization’s penetration testing should evaluate your entire IT environment, including:
Firewalls
Network security
Cloud computing
Web applications
Hardware
Mobile devices
Compliance requirements
Beyond Risk Control Strategies in Information Security
Balancing daily tasks with efforts to stay up-to-date on the latest threats and protective measures places a
significant burden on your security team. However, organizations can enhance their risk and information
security strategic plans by enlisting outside expertise to provide additional guidance and education.
Security program advisory, such as RSI Security’s service, will help your organization continually improve its
cybersecurity—from architecture design to scanning and testing to employee awareness training.
Partnering with an MSSP can also help you update your established risk control strategies through periodic
evaluations, patch monitoring, and assistance with incident management.
Regulatory Compliance
2
�INFORMATION SECURITY UNIT-3
Your organization must maintain its regulatory compliance efforts whether or not you’re subject to regular
reporting or random audits. Periodic gap assessments will determine what cybersecurity elements your
organization needs to update to ensure or demonstrate compliance.
Further, regulatory compliance changes can place unexpected burdens on your security team. Conducting a
bridge assessment (i.e., a gap assessment following regulation changes) is the fastest method for determining
necessary adjustments. An expert MSSP will notify your organization of upcoming changes and work alongside
your staff to help prepare your cybersecurity infrastructure and teams.
Patch Monitoring
Much like with changing regulations, an MSSP can assist with your ongoing patch monitoring efforts. When
vulnerabilities in widely used hardware, software, and firmware are identified, your security team must deploy
the appropriate patches.
However, patch monitoring is a labor- and time-intensive process that reduces your security team’s bandwidth.
Again, prompt notification and guidance from an MSSP keep your organization up-to-date on the latest
vulnerabilities and their patches.
Security Awareness Training
Beyond your security team, your non-technical employees must periodically refresh their knowledge of
cyberthreats. Limiting your organization’s security awareness training to brief mentions during onboarding
materials insufficiently prepares your employees. Instead, consider training sessions a few times per year and
additional services, such as randomly testing your workers with simulated phishing attempts, to improve their
threat recognition.
Incident Management and Recovery Strategies
Incident management comprises the response and recovery portion of your information security strategy
framework. Responding to and recovering from data breaches is the most stressful security team responsibility,
as you must protect your organization’s data and reputation.
Partnering with an MSSP that has successfully remediated numerous breaches will guide your security team on
effective measures that mitigate damages and restore service availability as quickly as possible. RSI Security
can help your organization develop and execute its incident response plan, assisting with:
1. Identifying the incident
2. Logging and tracking the incident with a critical systems audit
3. Investigating and analyzing the incident with a forensic approach to determine root causes
4. Assigning and escalating the incident response to the appropriate SOC team member(s)
5. Remediating incident damage and implementing preventative measures to resolve it
After executing your response and recovery strategy, you must also ensure your customers’ satisfaction with
your efforts to maintain your relationships and brand confidence.
Professional Risk Control and Cybersecurity
Whether seeking occasional guidance or fully outsourcing your risk control strategy, partnering with an expert
MSSP will set your organization up for cybersecurity success. RSI Security leverages over a decade of
cybersecurity and compliance expertise throughout our advisory and managed services to help you control the
risks your organization faces.
Qualitative vs. Quantitative information security risk assessment methodologies
When researching risk assessment methodologies for carrying out an information security risk assessment you
will no doubt be confronted by two terms – Qualitative and Quantitative. Then you may be wondering ‘what
should I do now?’
So which is best? And does it matter? And what is the difference between them?
3
�INFORMATION SECURITY UNIT-3
To answer these questions we should start by defining what they are.
‘Qualitative’ – means “involving distinctions or involving comparisons based on qualities”
‘Quantitative’ – means “that is or may be estimated by quantity”.
So ‘Qualitative’ means based on quality or merit, intrinsic worth or virtue. ‘Quantitative’ means based on
quantity or amount, size or number.
Think of ice cream- we might judge various vanilla ice creams as being ‘inedible’, ‘tasty’ or ‘moreish’. That
would be a qualitative measure. We could put a number against it and say that inedible=1, tasty=2, moreish=3.
Then we ask 100 people to taste our ice creams and rank them either a 1, 2 or 3. Now we have quantity so we
have ‘Quantitative’ data.
Does it make any difference?
Well it does if we want to be ‘scientific’ in our approach to risk assessment. We want to be scientific because
the more scientific we can be the more reproducible will be our approach. The ISO 27001 standard encourages
us to be consistent as “The risk assessment methodology selected shall ensure that risk assessments produce
comparable and reproducible results (ISO 27001:2013 sec 4.2.1 (c) 2)”.
So the more scientific our approach is the better it suits the standard and the more comparable and reproducible
it is.
Assessing a risk as ‘High’ does not have the impact as saying it is 9 on a scale of 1 to 9 although the meaning
might be the same.
Beaufort realised this. He defined a scale for wind conditions which has been refined over the years. This scale
extends from ‘Calm’ to ‘Hurricane’. These ‘Qualitative’ measures have been compounded by ‘Quantitative’
numbers 1 to 12 which also have corresponding wind speed values. This turns a subjectively judged scale into
an objectively assessed scientific scale. We can thus compare one ‘hurricane force’ storm with another.
When you are thinking about risk methodologies then making them quantitative has many advantages over the
simple qualitative approach. It tends to be more reproducible and therefore makes it easier to compare past and
present risk assessments. It also tends to give more consistent results by removing an element of subjectivity.
Qualitative assessments are easier to do but as they are more subjective they tend to be less reproducible,
certainly over time.
In truth, and pragmatically, we use a mix of both methods.
Very often we use a qualitative approach to identify key risks. We then use a quantitative approach to
determine the actual risk with a qualitative view of the risk once it has been mitigated.
