There’s been some heated debate on various other blogs about whether or not availability is a valid part of a security program. This is all in response to an article for ITPro which makes the statement that “in the last year IT has developed a more balanced approach to risk management, with increased emphasis on availability problems as opposed to security.”
One blogger, Michael Farnum, asks the question: “when did it become so vogue to take the “A” out of the (CIA) Triad?”I’ll not disagree that availability should form a part of the security program but not all aspects of it are necessary to be within scope of an information security program. If availability is at issue because of a DoS attack or because some bugger hacked into a database and changed everyones password then that’s clearly within scope. But what about disaster recovery scenarios or general online product uptime?
Christopher Hoff (same link as earlier) says that the business “separates out availability because the other two are difficult to quantify from the perspective of measuring the impact of controls you put in place to preserve them.” It’s a good point and I’d go further and say that it’s also because availability can be presented as a neat line on a chart whilst confidentiality and integrity are much less understood and rarely so well presented (until either are broken of course).
However, not everyone agrees – on the other side of the fence is this remark:
I really will never understand the foney-bologna nonsense about somehow making availability a part of security. It’s utter nonsense, if security and availability were equal concerns, prisons wouldn’t have lock-downs, nor would banks, air ports or bus terminals. Security is one concern and availability is another, opposing concern.
But I think that availabile and security are very much entwined, it’s just depends on your perspective and I wouldn’t rate the prison scenario as a valid reference point when we’re dealing with security of confidential information within the walls of a corporate business. Let’s take, for instance, availability of confidential data in a database: if we apply security with too much gusto then it’s likely to not be available to all those who need access, or conversely not secure enough. However, if the building catches file and there is no off-site backup of the database, is that then a security concern? No – that’s a different type of availability and as the data no longer exists then I don’t need to worry about the security of it (yes, you can argue that my program should have concerned itself with ensuring that there are secure on-line backups, and it does but I’m talking/writing hypothetically). If the off-site backup for disaster recovery purposes is not secure then I’ll make an issue of it.
So, a conclusion. Security and availability are entwined but don’t make the mistake of thinking that every aspect of availability needs to be taken into account.
Read the full article that this blog references here.
Also, read Anton Chuvakin’s opinion on the issue here (Information / IT risk management definitely covers all of C-I-A risks; thus, a security team might not be responsible if a lighting strikes a server, but such scenario must be considered in IT risk assessments.)