Anyone who has had the pleasure of participating in one of my presentations on information security over the past few years will know I have a favorite picture I like to show. It’s of a padlocked gate I photographed whilst out driving through the Texan countryside. Nothing too unusual about a padlocked gate except that this one has no fewer that a dozen padlocks arranged around the central bolt. I took the picture for two reasons: firstly, because I was trying out a new camera at the time and thought that it would make for an interesting shot, and secondly because it’s a great lead into a discussion on security controls. More specifically: about having the right number and combination of controls to be effective.
In the case of the padlocked gate, the number of padlocks certainly made for a gate that was harder to force open. In order to do so, our lock-picker would need to pick and break all of the locks. However, if the same tool could be used to break all of them then having 12 locks turns out not to be much more effective than only having one. Even worse though, what if we could just climb over the gate? Suddenly it appears that the security controls are actually in the wrong place completely.
In order to understand which controls are effective we need to understand the nature of the risks and the associated threats that result in the bad outcomes. So, in this case the risk is of an unauthorised access through the gate, and the threats might be listed as a) a person walking through the gate, b) a person climbing over the gate, and perhaps even c) person flying over the gate etc etc. With the threats listed out we can determine how effective the controls we have are at mitigating the risk. Clearly a) mitigates the threat of someone walking through the gate to some degree but doesn’t mitigate b) or c).
There are a number of methodologies you can choose from to accomplish your risk assessment. Most of them are far too complex and time consuming for your day-to-day business focused use. A good new resource is this one here at http://www.ism-community.org/ and in particular a documented practical risk metholodogy.
The most important thing of all is understanding your own environment and acknowledging the risks as they apply to your own specific case. It’s no five minute job but it doesn’t need to be overly complex and time consuming either. Just take a pragmatic approach and work out what is good enough.