Risk Mitigation

Risk Mitigation, A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

How to Control Risk

Privilege Management, the process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations.

Change Management, refers to a methodology for making modifications and keeping track of those changes. Change management seeks to approach changes systematically and provide the necessary documentation of the changes.

Incident Management, the framework and functions required to enable incident response and incident handling within an organization. The object of incident management is to restore normal operations as quickly as possible with the least possible impact on either the business or the users.

Types of Security Policies

User Policies - Define what users can do when using your network or data and also define security settings that affect users such as password policies.

• Password Policies - This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items.
• Proprietary Information Use - Acceptable use of any proprietary information owned by the company. Defines where it can be stored and where it may be taken, how and where it can be transmitted.
• Internet Usage - Use of internet mail, Use of programs with passwords or unencrypted data sent over the internet.
• System Use - Program installation, No Instant Messaging, No file sharing such as Kazaa, Morpheus. Restrictions on use of your account or password (not to be given away).
• VPN and remote user system use (remote access) - Must be checked for viruses/trojans/backdoors. Must have firewall, must have AV.
• Acceptable use of hardware such as modems - No use of modems to internet without a personal firewall.

IT Policies - Define the policies of the IT department used to govern the network for maximum security and stability.

• Virus incident and security incident - Intrusion detection, containment, and removal.
• Backup policy - Define what to back up, who backs it up, where it is stored, how long it is stored, how to test backups, what program is used to do backups.
• Client update policies - Update clients how often and using what means or tools.
• Server configuration, patch update, and modification policies (security) - Remove unneeded services (harden server). 
• Firewall policies - What ports to block or allow, how to interface to it or manage it, who has access to the control console.
• Wireless, VPN, router and switch security, dmz policy, email retention, auto forwarded email policy, ability for IT to audit and do risk assessment, acceptable encryption algorithms

General Policies - High level policies defining who is responsible for the policies along with business continuity planning and policies.

• High level program policy - Defines who owns other policies, who is responsible for them, scope and purpose of policies, any policy exceptions, related documents or policies.
• Business continuity plan - Includes the following plans:
  • Crisis Management - What to do during the (any) crisis which may threaten the organization.
  • Disaster Recovery - Subfunctions:
    • Server recovery
    • Data recovery
    • End-user recovery
    • Phone system recovery
    • Emergency response plan
    • Workplace recovery

                                   How Awareness and Training Provide Increased Security

Awareness and training involve instruction regarding compliance, secure user practices, and an awareness of threats. Awareness and training also involve helping users understand how their normal practices can impact the security of the organization.

With compliance, users should be made aware of the organization's established security strategy as well as the reasons it is necessary to adhere to it. This can include information on security policy training and procedures, data labeling, handling and disposal, developing and safeguarding one's personally identifiable information, and compliance with laws, best practices and standards.

Some user practices include password behaviors, data handling, clean desk policies, preventing tailgating, and the use of personally owned devices.

With threat awareness, users may be unaware of the security threat a practice or technology may introduce. For example, when using peer-to-peer (P2P) networks for file sharing, the system may become susceptible to viruses, worms, trojans, and spyware. The other technology associated with this type of threat is social networking. Users often include personal information in their profiles for others to read. Attackers may steal this data and use it for malicious purposes. Another thing to consider is the vulnerability of of the social networking site, and how easy it may be for attackers to break into the sites to steal user information.

http://www.businessdictionary.com/definition/risk-mitigation.html
http://www.comptechdoc.org/independent/security/recommendations/secpolgen.html