There has been a lot of talk about the need for robust IT security.
Is it possible to have too much security? Can you offer me tips on
how to evaluate the risks to parts of my IT infrastructure so that
I can come up with an appropriate response and spend?
Engage with your executive team
Deciding the level of
security needed is a management issue, so engage in a dialogue with
your executive team. To evaluate potential risks, one technique is
to multiply ratings for probability and impact. Given this measure
of risk, you then identify avoidance and mitigation strategies. The
costs of these can be matched to the benefits of risk
reduction.
In analysing risks to infrastructure, consider confidentiality,
integrity, and availability. There could be impacts on networks,
operations, and users, or a combination of these. The
infrastructure will be subject to hackers, virus attacks, internal
fraud and equipment failure. Your company auditors will have
standard checklists for these items and will be happy, I am sure,
to organise a security review.
Outsourced services are also an important area. How do you ensure
that suppliers and outsourcers comply with your security policy? Do
you conduct audits and check failure logs? Are these included in
your service level agreement? Your suppliers can help you in the
evaluation, although there may be a vested interest. A professional
body such as the British Computer Society can provide independent
support.
Sharm Malawi, Henley College
Refer to surveys and guidelines
It is possible to have
inappropriate or ineffective security. An expensive imbalance of
technologies, policies and practices is easily reached. Your
solution needs to address prevention, detection and response and
take into account legal and regulatory obligations if necessary.
Surveys from organisations such as the DTI offer general guidance
on failure costs and identify the frequency and impact of common
incidents, while the BS 7799 guidelines provide a good framework
for your solution development. Identify the key assets you are
trying to protect, relate security issues to business objectives,
and evaluate risks in operational terms.
Membership of a recognised corporate IT security forum can provide
information about new threats as they arise, and help you to assess
your progress.
Ollie Ross, Tif
Enlist experts but use common sense
Yes, it is
possible to have too much security. Security is expensive. The cost
of covering all threats has increased rapidly. But at least the IT
costs are identifiable. There are costs in the user community that
result from needing tighter standards and procedures, and these get
in the way of business efficiency. Such costs are more difficult to
quantify.
Some security actions are essential and many are not expensive to
implement. Evaluating risks and deciding which actions to take is
complex and the task of experts. Much will depend on the nature of
your business, the type of systems you have and your dependency on
IT.
Do apply common sense to the recommendations of experts though.
Some systems approaches may fall down because people, whatever they
are told, will abuse the rules and destroy all the theoretical
benefits.
Roger Marshall, Elite
Base your approach on BS 7799
A BS 7799-based approach is
an ideal template and the risk assessment is the starting point. It
identifies the significance of a breach to your "information" in
terms of denial, confidentiality, authentication, manipulation and
non-repudiation.
You need to ascertain the impact of breaches on your information
provision. For instance, before you spend money encrypting your
e-mails, you should consider whether it is likely that someone else
can intercept them and if they can, whether you care. And having
rock-solid mirrored servers is not much good if you have an
unreliable network.
It is important that you get a steer from the business on the
policy for information security as it is vital that the business
takes responsibility for the risk management process.
On the practical side, there are many security techniques that
should form part of IT good practice, such as regular back-ups,
up-to-date documentation, firewall provision, virus control,
policies and procedures, and restricted access to sensitive areas
and secured buildings. It is important that these form part of an
overall security (BS 7799) framework.
Roger Rawlinson, NCCGlobal
Assess business-criticality of assets
The level of
security that you apply to IT infrastructure should reflect the
criticality of your various infrastructure assets to the business.
You should, therefore, seek advice from business users as to the
impact of loss of availability, confidentiality and integrity for
different assets. When you combine this with information about past
incidents and their business impact, you should be able to rank
your infrastructure assets in terms of information security risk.
Remember that security incidents are more likely to relate to loss
of availability than to breaches of confidentiality. Good controls
to prevent user error, systems failure or virus attack are
therefore as important as controls over network security and
logical access.
David Hughes, Deloitte & Touche
Weigh up various types of loss
How much security to
have is a business decision. On the whole, the more security you
have, the more difficult it is to conduct business. Additional
security also requires increased investment which could otherwise
be deployed elsewhere.
When thinking of the risks, think of the costs/impact on business
processes of losing each system or type of data for minutes, hours
or days. Loss may take many forms - data theft, denial of service,
system failure, data corruption.
You will find that some processes are dispensable for a couple of
days, while others are indispensable, even for minutes. This will
give you an idea of the importance of investing in security,
backups, redundancy and so on for each business process.
It is also worth considering what the possibility of workarounds is
- instead of creating mirror systems, you may find that employing
temps may be more cost-effective in the event of a disaster. Your
aim should be to recover the process, not the IT system per se.
Christopher Young, Impact