As a Computer Engineer, every time we develop software, the first thing we need to make sure is to analyze and document what we call the plan B in case we experience any unfavorable outcome that might compromise our software in any way (remember CIA principles?)
First of all, we need to categorize your system based on the availability, integrity and confidentiality level that it must have. We won’t give the same priority to a public web server and a server that is specifically used to store classified information. The web server might have a backup server to re-route all the traffic but what about the compromised server with classified information? If the information is compromised, there is no turn back and this is why this must be our priority.
In order to plan a proper Risk Management alternative, we need to follow a process:
- Categorize: We need to take in consideration business needs and architecture of the system.
- Select: We need to select a security control to manage the risk management.
- Implement: Put in practice the security controls chosen.
- Assess: Test the security controls monitoring and measuring to make sure that the program is working efficiently.
- Authorize: We need to base our decision on the risk that could cause to the organization and individuals.
- Monitor: Check if the security controls are working as intended and if not, we repeat this cycle again.