Fine Line between Clever and Stupid


The movie This is Spinal Tap holds one of the best lines of all time: there s a fine line between clever and stupid (Reiner, 1984). This line holds true in the business world as well, especially in the context of information security and assurance. Striking the right balance is often more of an art form than one of pure science. It is necessary that every firm determine what exactly is stupid and what is clever.

What is stupid? One way to begin the process of defining what is stupid is by working backwards , almost as a reverse engineering exercise of sorts. A computer system that is 100% secure means that it is 100% inaccessible by a network and thus useless. As can be deduced , this predicament does not possess the desired security qualities. If customers and partners in the supply chain find that it is impossible to connect with the firm, then they will abandon their attempts and seek to do business with others.

To define what is clever, the firm must work to determine what level of security provides the firm the best security posture with an acceptable level of risk. Performing a detailed risk assessment involves looking at the technical specifications of the network infrastructure and marrying that information with the requirements of the actual business operations. This information includes requirements of the unique business functions, operational requirements, core competencies, mission, and an understanding of customer demands. Identification of the vulnerabilities of the infrastructure can be identified and paired with the predominate threats, and then evaluated against the operational requirements.

These data are collected and analyzed through a risk assessment process. It is imperative that during the risk assessment processes, most, if not all, functional area experts are represented so that unique and critical operational requirements are identified and maintained for the continued operations of the firm. The identified vulnerabilities and threats are then evaluated to determine which represent the highest priority. This priority is typically tied to their mission criticality.

Vulnerabilities and threats that, if exploited, could bring business operations to a halt should be given the highest priority. Those vulnerabilities and threats that cause only minimal and insignificant impact, or are not likely to be exploited should be given the lowest priority. After the vulnerabilities and threats have been assigned a priority, mitigating strategies can be designed to minimize or eliminate the vulnerabilities and threats with consideration of the operational and financial impacts of implementing such security mechanisms.




Information Technology Security. Advice from Experts
Information Technology Security. Advice from Experts
ISBN: 1591402484
EAN: N/A
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net