We have spent several chapters talking about technology, SSL, X.509, SMTP, messaging, and the "bad dudes." The next question we need to ask is, "How do we keep a business running in this crazy, open Internet environment?" We will work on finding the answer together.
We will discuss the factors that you need to know to keep your business running in other words, the continuity of operations. Before we go further, however, a simple exercise needs to be completed. First, you must fill in Table 9.1 and determine the service levels of the various functions of your business. The table has three categories (more can be added if needed):
This is the function for which you are trying to set a service level. Again, this is one of those functions that we are doing backward. You may have this service level defined already; if not, it needs to be defined. The backward part is that you may be defining a service level now. This should actually have been done when you first built your business case and model. An example of this would be the web server that houses the order form for customer orders.
This provides details about the function. For example, why is it important? What is the impact if the function or service is down?
If this has not been done previously, define a scale that will reflect each of your functions for example, 100% uptime.
However, if you really decide on 100% uptime, understand that uptime of 100% is typically very difficult and costly. This table cannot replace a complete SLA analysis. The point of this exercise is to illustrate that you cannot implement security without integrating your SLA and security requirements together.
Security, SLAs, and risk management are tightly related to quality management. Security measures must be implemented based on these factors, and always using the business goals and objectives as the guiding light. You are in business to generate a profit or to increase your market share, not to implement security requirements. Security provides protection of the business against incidents, mistakes, and premeditated manipulation, so that the impact of security incidents is minimal and the business remains viable and continues.
A threat is a danger that could impact the security of business assets, which could lead to a potential dollar loss, capital damage, or loss of customer confidence. In the Internet age, most companies use both an internal network and the Internet to support their daily business processes. Information, knowledge, and data are managed by complex hardware and software. This infrastructure manages customers' contact data, inventory (SKUs), accounting information, and more. This electronic business infrastructure must be controlled and kept within the business community that owns it. This infrastructure cannot be compromised, stolen, corrupted, or destroyed. This infrastructure is what the business runs on. We talked about data categorization before and will not repeat it here, but you must understand how valuable the data is and how it can be accessed.
Threats to your business can come from many different sources:
External attacks (hackers)
Fire, flooding, acts of God
Current or former disgruntled employees
What are the steps required to determine the specific threats?
Define basic security objectives (in relation to your SLAs) for example, availability, confidentiality, and integrity.
Define the various potential system threats and safeguards, such as external users, Internet employees, hackers, or CERT advisories based on the technological solutions that you have for your business.
Generate a business impact analysis. What is the impact on the business if a threat is realized? (The impact is a business consequence, not a technical one.)
Utilize a scale that will assess the impact to the business. Following are some examples:
Low impact No or very minor effect; major business operations are not affected.
Minor impact Business operations are unavailable for a certain amount of time; some revenue is lost, but customer confidence is not impacted.
Moderate impact Intermediate loss to business operations occurs, with some loss in customer confidence.
Significant impact Customer confidence has been significantly impacted; some customers will be lost permanently.
High impact The impact is high, but the company may survive at a considerable loss of revenue.
Disaster The effect is catastrophic; the company cannot survive. Start looking for a new job.
Determine the likelihood of a threat. Following is an example scale:
The threat is highly unlikely to ever occur.
The threat is likely to occur only once in the lifetime of the service or product.
The threat is likely to occur once per year.
The threat is likely to occur once per month.
The threat is likely to occur once per week.
The threat is likely to occur daily.
List the threats. You must create a technology security review (TSR) for each process. The TSR will list the threats and the suggested controls.
Create a control directory (CD). The control directory will list the items in the TSR in relation to the impact and the likelihood of a threat. Also, the suggested controls will be added to this directory.
Create an environment risk table (ERT), which is a document that shows the financial cost of security in relation to the value of what is being secured.