Information Technology Reference
In-Depth Information
lems may warrant resolution within the standard IA operating process; that is,
attention to capturing details, but no extra effort beyond good operational practice
already in place. Problems that are more complex may warrant setting up a problem
resolution team. The goals of the team are to discover the root cause of the prob-
lem via a formal root cause analysis (RCA), identify potential solutions, choose a
solution with the best systemic fit, participate in solution implementation, verify
improvement and enterprise effect, and identify and disseminate lessons learned.
An RCA repository provides quick reference for problem recurrence and promotes
organizational learning. If one team has identified and proven a solution, other
teams should first seek solutions from the RCA repository.
5.9.6.3 Problem-Solving Inluence on IA
2
F
Problem-solving teams and the RCA process are part of the IA operations cycle:
anticipate, defend, monitor, and respond. Responses include problem identification,
isolation, treatment, and resolution. Formalizing the process provides feedback into
anticipatory, defense, and monitor phases. The objective of an RCA is to stop the
problem from recurring or at least minimize operational effects of recurrence.
IA problems can be quite complex, with multiple symptoms leading to causes
from many different directions; when the whole is too daunting, divide and con-
quer. When faced with a daunting IA problem, use a formal decomposition to
divide the environment into manageable parts. Appendix H provides a guideline
and template for a root cause analysis that assists in this decomposition.
5.10
Commentary and Conclusion
Life offers no ultimate safety except in the ultimate end (Figure 5.9). The best risk
minimization approach is to identify highly probable threats, targets, assets, and
asset vulnerabilities supporting critical business functions; the results drive appro-
priate business continuity actions and security resources to satisfy recovery time
objectives (RTOs), downtime tolerances, and loss tolerances.
Information assurance is tradition-
ally a technology bolt-on and business
process afterthought; IA is far more
effective when
integrated from inception
,
not a post-implementation forced fit. IA
needs to be an integral part of the enter-
prise architecture, systems architecture,
business process, technical develop-
ment, administrative policies, and oper-
ations. Deliver the IA message to the
RIP
2
Rest in Peace
Risk is Past
Figure 5.9
risk is past (rip).
