Risk Mitigation Strategy

XYZ Corp (Name Witheld)

Background

Our client, one of the largest corporations in a major industry, has the overall goal of reducing risk to its corporate assets and personnel. Management understands that the loss of some of their information assets directly impact revenue while the loss of other information assets directly impacts profitability.

XYZ came to the Fulcrum team because of our reputation, superior methodology, cost-effective solutions, and because of clear benefits of our technical approach—over and above a single-system solution.

Solution

Fulcrum understands that just providing the latest software patch does not create a secure system or assets. Furthermore, Fulcrum is concerned with providing security countermeasures that can evolve into enterprise-wide security solutions, achieving economies of scale in resource expenditures.

Fulcrum and the client agreed that the result of the risk assessment should be more than a stack of paper. A key part of the Fulcrum approach, therefore, was to provide security awareness and training to the client's management and operational staff.

For each system or organization, a joint security team including at least the system owner and Fulcrum technical engineers would:

• define the system needs;
• prioritize the order that assets are evaluated;
• define the levels of security required for each asset;
• define the threats and vulnerabilities that could harm the assets;
• determine the countermeasures and the efficiency of countermeasures currently in place;
• calculate the level of risk for each asset, based on the information gathered; and
• define any additional countermeasures that need to be implemented to reduce risk to an acceptable level for each asset.

Results

The client told us that they would have been pleased with our results even if all we provided was an accurate assessment of risks, but because of our methodology, they avoided all of the pitfalls and expenses associated with extrapolating a Risk Assessment approach throughout an organization. Specifically, Fulcrum provided:

• a detailed list of threats and vulnerabilities applicable to the information technology assets;
• a report on the level of acceptable risk to the assets;
• security test plans, scans, non-intrusive testing, and test results;
• risk assessment results;
• appropriate countermeasures to management, operational, environmental, and technical risks;
• security awareness and training for the operational environment;
• system remediation plans;
• disaster recovery plans; and
• information security system plans.

In addition, we showed how each type of countermeasure could be extrapolated into a minimum set of solutions for an entire corporation. Working with the client, we implemented many countermeasures, such as creating security policies, security administration handbooks, disaster recovery plans, and security configuration (lockdown) policies for various hardware, software, and operating system environments.

Because of the Fulcrum Security Training/Workshop and team approach to conducting risk assessments, the system owners were able to "buy into" both the methodology and the analysis results as they were being produced. Since formal security testing was conducted, the risk assessment results are quantitatively accurate. The scanning process associated with some of the tests also helped to ensure the accuracy of an asset baseline that was rolled into a new asset management system and a configuration management baseline.