Hello and welcome back to this lecture where we’ll be looking at mitigation.

Mitigation comes in four steps: you've got risk reduction, risk avoidance, risk transfer, and risk retention. Now, you might remember those. I hope you do, because when you do risk, you'll find that there's lots of different ways to say the same thing. Depending on which course you're doing, or who you're speaking to and how they were trained, or what certification that they like best and that they trained for, you will get different versions of the terminology. But when it comes to treating risk, there is a universal understanding, and I call them the four Ts: treat, transfer, terminate, and tolerate. Those are your four Ts. 

This works in an interesting way. There's a term out there that says accept. Now, we accept a risk when we first analyze and we see that it's a risk for us. If it reaches our risk acceptance level, we just accept it. If it doesn't reach our risk acceptance level, then we do all this stuff. We do risk treatment. If we accept it, the risk comes in. We just put the risk into our risk treatment plan, we monitor it, and we say, "We've got a risk." If it doesn't reach our risk acceptance level, i.e. the impact is too great for our finances and we're not happy to take that risk on like that, we will then have to do something about it. We're going to treat it, in order to reduce the risk. How would we reduce that risk? What are the components of the risk from our calculation before?

As we said before, it’s impact and likelihood. So if we're going to reduce risk, we're either reducing the impact, or its likelihood, or we need to take measures to control them.

We'll be using controls and perhaps outsourcing some of it to third parties, for example, giving our data to a cloud provider. We'll still retain the risk. We're still liable but we've outsourced some of the risk of maybe processing that data ourselves, or having to maintain those systems. If we terminate something, we can cease the activity altogether, get rid of the asset, all of those that actually sound like terminating an actual asset. And that's the only way that we can go about it. Actually getting rid of an asset, ceasing the activity altogether. Those are our two main things. So we end the exposure altogether. Or we can change our behavior around that particular risk, and that can actually terminate the risk as well. It's not very likely that change of behavior removes risk altogether because it often comes with training. However, training is not 100% foolproof because humans are still prone to making errors.

So, the final one is toleration. Tolerating. It's not acceptance. We only tolerate a risk once it's gone actually through our risk reduction process, or our risk transfer process. If we treat a risk and we transfer a risk, we'll then look at those two risks again and say, "Has it now met our risk acceptance level? Yes. Okay." Well then, we're not actually doing risk acceptance, now we're doing risk tolerance. And that's the difference in terminology. So once we've gone through our process of mitigation, we then tolerate it as opposed to just accepting it.

Controls can be technical, procedural, physical, legal, regulatory, compliance, that kind of thing, and they can be classified in these various different ways. So we've got technical controls. Encryption is an example of a technical control. Bear in mind, technical can also be our actual physical boxes like our firewalls and those types of things as well. Our IBSs and our IPSs. So they do fall into this category as well, so don't be confused by that. They're not physical, they're still considered technical devices, so they're technical security that then use physical security to protect those technical devices. So our IBSs, IPS, anti-virus, two-factor authentication, IAM (identity access management), all those are technical controls.

What about our procedural controls? So we've got security awareness and training. All of that really just falls down to policy because we implement these and then we put policy in place. So we have security awareness, contracts, operating procedures, electrical awareness, etc.

Physical security. So, under physical security we have privacy screens, security officers, shred stations, lock storage, building access control or passes, turnstiles, CCTV, attack dogs, landmines, moats, it all falls into physical. And then obviously, you've got the policies that these sit underneath as we have here, and the regulations and all that other stuff that we have to adhere to. That all falls into place.

We then classify these as directive, deterrent, preventative, compensating, detective, corrective, recovery. What could be a physical recovery control? A control that you could use for recovery in your information systems or your environment, for example, uninterrupted power supply - UPS’s, generators. Then you have to do all your extra stuff like making sure that your generators don't have stale diesel and all that type of stuff. Or if you live in a very cold place, your diesel doesn't turn stale, use kerosene instead.

Then, preventative. Which of these is a preventative control? Encryption is a preventative control. Why? Because of confidentiality. Encryption takes care of confidentiality. It does take care of integrity as well, but not until we really start to talk about cryptography, which is what encryption falls underneath.

The detective procedural control that happens with ISO 27001 before you get certified is auditing. It's one of our best detective controls. Audits take care of integrity. They're looking for the accuracy and the completeness of data, but they're not actually protecting the accuracy and completeness of data. They help you to make sure that you can actually go and take care of integrity.

If you're saying you're doing something and you're not really doing it, then what you're saying about that asset isn't complete and true. If you're doing that audit on your accounts, you can actually see whether the confidentiality has been taken care of. If you're doing an audit on your systems, you can see if the availability of all your systems is there or if your system is going down. So audits detect issues in CIA - that's what they do for various different assets and systems.

Compensating. Which systems compensate? UPS also compensates. You can have one control which does two things: it can be both a directive and a deterrent. Like a sign, for example: "Do not touch the electric fence. You will be fined." For every person that gets shocked, they will also be fined for touching the fence. It’s a deterrent because it’s warning that you’re going to get a shock but it's also a directive because it’s telling you what not to do.

When dealing with physical security we have to build defense-in-depth to protect our data and our organizations. Data is the most important thing.

So we build our building, we lay cables, but we lay the protection for cables first. We also do things such as, we don't lay data cables at heights that people can reach them. All our data cables are way up here so that people can't get their hands on them and splice into our cables, and steal our data, or steal our clients’ data. 

So let's say this is our building. Here's our door, our main door right there. We've got a driveway here leading up to our main door. And then to protect our driveway we could install some gates. And to make sure people can’t simply wander onto the premises, we can install a fence. Fantastic. So, there's our fence.

Then, once we're inside the building, there's our reception desk, there’s our security guard. Here are our offices back here and here are our toilets. There we go. We need to ask ourselves: "what should we add to make sure that our offices are secure? And where should we put our server room?". We would probably set the server room behind the reception; we’d want it away from the public. Now, we also need some walls. So we need to think about what we want to have sectioned off. So we can section off the office space behind the reception as well as the server room. We’ll need to add in another toilet, though, because you don’t want your employees to have to pass the security gate each time. So there, now we have a toilet that’s accessible to the public and one that isn’t. So, we’ve essentially blocked off half the building to the public, and we also need to block off the security office where the security guard is so that nobody can get access to the CCTV. Okay, so we've got our security office. It's a rather large office just for one person but never mind. Now, since we want access to the offices, what we could do is we could add a man-trap or a turnstile right there, or somewhere where people have to present their passes, once again, to gain access to the offices.

Now, as well as all of this physical security, we can have CCTV here, and CCTV outside as well, having a good look at all of our building and our external areas.

We can have a fire-door to the rear of the offices somewhere, because that's also a part of security, let's not forget. We do all of that to protect our organization. And notice that we put the server room in the middle, away from the walls, that's really good. That's important. This is what we call defense-in-depth; we built defense from the outside in until we get to our server room, because this is the area that we want most protected. All our data, everything that protects our building. So, our business is here, in the server room - everything that makes us money is right here in this room, serving our organization. So we protect this like it's the crown jewels. That's why it's in the middle of the building.

Then, once we have taken care of all the physical aspects of things, we then apply our procedural controls. So, they will cover things such as how people can come into the building. So, for example, you must present your pass, your pass must be changed every year so we've got an updated picture of your face, all of those types of things.

And then we talk about our technical security. We've got firewalls. The feeds from the CCTV cameras will go to a particular server. Access control. Your passes that are physical. The information that's on those actual control panels will be fed back to a system that records who accessed the building. That's our technical control, our IM systems.

And so we do what we call defense-in-depth. Even with technical security we do defense-in-depth. So we won't use one encryption suite, we'll use multiple encryption suites that aren't the same, so that if you break one, you haven't broken them all. And we do defense-in-depth in everything, absolutely everything, and that's where we get our safety from.

It’s not enough to simply use anti-virus, which is how we saw it in the past. We now have to look at actual robust security overall, and so we put all these controls in place to mitigate against either the impact of somebody running into our building or getting out if they stole something but they couldn't get back out of the man-trap, because you need your pass to get back out through the man-trap.