Information Technology Reference
In-Depth Information
because they are considered important to the company. However, there
could be a “less important” application that poses a greater vulnerability,
for example, an accounting package whose downtime may not be critical
may still require higher prioritization when it comes to security.
Prioritization is a techno-political process and must be recognized as
such, particularly if there is contention for security funds. The prioritized
list that emerges may reflect the political landscape better than the risk
landscape.
One prioritization method that analysts could use is a Risk and ROI
(return on investment) model. One can classify the risks and use them to
set priorities. Events that can put the company out of business ar e
obviously more important than those that will interrupt operations for a
day (e.g., the loss of e-mail files of an employee). Some kind of financial
impact analysis can also be done, although it is dif ficult to quantify
intangibles such as loss of customer confidence when such events occur.
While it is difficult to determine what assets should be protected, at
times companies do not even know, with any degree of accuracy, what
assets they actually have. A server or software may not be on the
accounting topics or in the documentation but yet be present physically.
If it is there, it is part of the security system.
There is another reason why the wrong thing may get protected. What
is seen as important by an organization is not necessarily what the bad
guys want. This is a point-of-view problem. For example, information
about business plans and political dynamics in the executive suites may
be more valuable for a competitor than the current order topic. For an
investigating agency, a compromising e-mail may be of more value than
the salaries of executives. If one is going to protect what is of value, one
must first know what is meant by value, and be clear about whose value
one is talking.
Not every asset has value forever. Along with identifying “what” should
be protected, one must specify “how long” it must be protected. Manage-
ment needs to revisit the security needs and allocations on a regular,
perhaps annual, basis. This is similar to individuals who continue to pay
insurance premiums to get coverage for household items that are not
worth being covered anymore as they have become old, and replacement
costs would be lower. Sometimes this duration is driven by legal consid-
erations — the company has to keep the records secure for a certain
period of time.
Sometimes entities fall outside the security net because one does not
recognize how they are interconnected. An E-commerce application may
depend on the e-mail server to send order information for processing.
The E-commerce system may be protected while the e-mail server may
not be, because this dependency is not realized. This is another reason
