Information Technology Reference
In-Depth Information
transactions prevented; customer fears of loss are assuaged through “no-
loss” or limited-liability guarantees. While one can debate whether this
can be considered a security solution, from a business point of view it
does address the security problem, or at least its impact on the customer.
Such approaches demonstrate the fact that a security system has many
elements — business, technical, process, and human behavior — and one
can choose to invest differently among the various elements, depending
on one's needs and the situation.
Identifying the Correct Entities to Protect
An entity at risk should be well recognized by those responsible for
handling the risk. In the case of national security, the armed forces are
very clear that their objective is to protect the nation's boundaries and its
key infrastructure assets. However, in the world of information systems,
when one speaks of information security, there may be some ambiguity
regarding what should be protected. It seems satisfying to think that
something called “information” is being protected but this is too generic
a term. In fact, there are a number of things that come under this generic
umbrella: data, applications, services, infrastructure, to name a few. Rec-
ognizing the entity to be protected is very important to obviate the risk
of protecting the wrong entity.
Take the case of services. Although the application is “working prop-
erly,” there could be threats to the continuity or the quality of the services
provided to the customers. One form is also a “denial of service.” The
actual denial of service can be achieved in many ways, one being through
consuming all available resources on some portion of the infrastructure,
so that genuine customers have nothing left to be serviced. In other
scenarios, business operations may be badly affected if the internal systems
are attacked. If e-mail systems are down, or CRM (customer relationship
management) applications used by the helpdesk are prevented from being
available, then operations are affected in ways that cause considerable
harm. Here, the objective is disruption — not the stealing of information.
Attackers, it is possible, are not after disruption or theft of information
assets, but wish to affect the company's reputation or brand through
security incidents that get widely (and adversely) reported in the public
media. Do not jump to the conclusion that data is the most important
thing that security must address. It may very well be so in the majority
of cases but priorities can differ.
Search WWH ::




Custom Search