-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
Risk Management Lectures (2)
Written on December 24, 2006
Leave a Comment
|
The following series represents lecture material that I’ve used from time to time in discussing the problem of IT Risk Management. I’ll be providing this material on my blog as a series of information related to the topic.
***
Avoiding a Common Misunderstanding
The word “disaster” has a particular social connotation that suggests absolute calamity, death, destruction, and mayhem. This is, in fact, a dangerous perception because we could easily become lulled into looking at “disaster” from a single lens. We are “safe” so long as we relocate our data center to a region with relatively little natural catastrophic activity, which couldn’t be more distant from the truth. As Toigo points out on page 47, figure 2-3, the vast majority of information system disruptions arise from more mundane causes – human error and malfunction – than that are the result of natural disaster (just 3% as compared to 90% of leading causes).
Also, a “disaster” situation doesn’t necessarily mean property loss or evacuations – but that kind of effect on dependent business processes could still be suffered if a transformer malfunction prevented a cold restart of a major computing platform. Scale is not as important as effect.
The CIA Triad
In analyzing the security of the information system, we are chiefly concerned with three elements concerning its security. Confidentiality, integrity, and availability of information systems reflects upon the relative security of the system. Confidentiality refers to the way that an information system is capable of allowing those who have a right to know to have access to information.
Confidentiality also refers to the way that an information system is capable of identifying those who do not have the right to know and access to information. An information system with a weak Confidentiality safeguard would be incapable of distinguishing those who have a right to know and those who do not have the right to know.
Integrity refers to the way that the information system is able to log, track, audit, and demonstrates how it was able to maintain confidentiality. An information system with a weak integrity control would be difficult to review an audit to verify if it had indeed performed correctly in enforcing Confidentiality. An audit of this information system would not be possible. Verifying the information system and its safe guards would be difficult if not impossible.
Finally, availability refers to the way that information systems are extended to those who need the information and at the time that they need the information to make a reasonable decision. Availability in some ways also reflects upon accessibility. An information system with weak consideration for availability would diminish its overall usefulness; if information cannot be provided to those who require it at the point when they require it, then the value of that information system is relatively moot.
In considering the CIA Triad, we can see that this is a significant design challenge for any IT function. On the one hand, availability can be sacrificed to ensure higher degrees of confidentiality and integrity. However, on the other hand, Confidentiality could be sacrificed for more openness and ability to share information with others. And, finally, integrity could be sacrificed so that the information system could be both available and accessible by all users.
We must remember that security is nothing more than the confidence that we feel in evaluating the safeguards that are then taken to protect the information system. If security is a measure of confidence, then we will have more confidence if more steps are taken to preserve the CIA of the information system. So therefore, our analysis concerning the security of an information system begins with the confidence we have in the overall controls needed to enforce the CIA Triad.
Next Time: Risk Analysis as a Tool to Determine Effects of Disasters on Business Strategy
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.