Buy an essay on “Controlling Threats from the IT Staff”

1. There is no section in Chapter 2 titled anything like “Controlling Threats from the IT Staff” but various countermeasure surface throughout the chapter. Report upon these.
Panko admits that though the easiest decision for IT security is to associate it with the company’s IT department. However, this is the most risky decision since many security threats come from IT staff. First of all, it is necessary to realize that IT security goes far beyond the IT department. Thus, building a security policy should be done basing not only IT department. Secondly, in order to control threats which may come from IT staff, it is useful to place responsibility for IT security outside IT department. This allows removing dependence on IT staff in security questions. Also, Panko describes a hybrid solution: when technical implementation is left to IT staff and policy solutions are performed by another department or external structure. Also, It auditing department is recommended for examining efficiency and security of IT staff work.
2. Collect and report the points on outsourcing IT security appearing throughout Chapter 2.
Outsourcing IT security might be done in several ways and Panko describes the most popular of them. A very common kind of IT security outsourcing is e-mail filtering outsourcing. Besides outsourcing other specific tasks, it is possible to use the services of a managed security service provider. This allows reaching independence and additional security. Usually, not all security issues are passed to MSSP, but only a part of them.
3. The validity of quantitative inputs to risk analysis is always subject to question, but this is especially so when risk analysis is performed within the milieu of information assurance. Panko exemplifies in the sections “Uneven Multiyear Cash Flows,” “Total Cost of Incident (TCI)”, “Many-to-Many Relationships between Countermeasures and Resources,” and “The Impossibility of Computing Annualized Rates of Occurrence” (pages 74-76).
Although “classic risk analysis is impossible to do, companies need to try doing something close to it” (page 77). How should we proceed?
Despite the fact that measurements described in classical risk analysis are almost impossible to perform, especially in IT security area, the basic steps mentioned in risk analysis are to be done. Thus, even if it is not possible to know for sure the loss expectancies, probabilities of threat occurrences and it’s quite hard to determine the impact of countermeasures (especially if they manage to cover many types of threats, like firewalls do), all these estimates allow having an overview of possible risks and developing an understanding which is common to risk-based approach. Basing on this very approximate estimate, risk management may be done. If these estimates are not performed, risk management would be almost impossible, and thus, the main instrument for improving security risks could not be used.