Tuesday, July 29, 2014

Security is risk management

Security is all about risk management! With ever increasing complexity, it is not easy to protect everything. In fact, you are wasting your resources by trying to reach the elusive goal of protecting every asset (mainly data) in your organization. So, what can we do about the vast amount of data organizations possess? Organizations should first identify the risk associated with different data items. Depending on the level of risk, different risk mitigation techniques/security controls need to be utilized. It is easier said than done. Most organizations find it difficult to quantify the risk associated with their data. In general terms, if the more sensitive is the data and the more exposure it has, the more the risk associated with it. Higher risk items should be protected with more rigorous security controls. Let's take an analogy from real life. Where do you keep gold jewelries at home? You would not store your jewelries just the way you store your shoes, would you? You would be keeping them in a safe or hidden inside some layer in a difficult to access location in your bedroom. The following matrix gives an idea how to give a risk score to organization data:

(Source: Microsoft SQL Server 2012 Unleashed)

For example, organization's PR materials have low sensitivity and are publicly available. For such content, you would probably want to have minimal control to prevent unauthorized modification to content. Organization's employee payroll information, on the other hand, is highly sensitive and has very limited internal access to it. For such content, you would deploy rigorous security controls:  encryption on the wire and at rest data, limited read/write access, auditing, intrusion detection, etc.

Two key challenges in implementing a good risk management strategy in your organization are:
1. Identify where all organization's data reside (identify data)
2. Identify who has access to each data item

These two items sound simple, but in reality they are not. Most organizations struggle to have the full answer to them. Nevertheless, once you overcome these challenges, next critical step is to quantify the risk associated with each data item: what would be the impact if a given data item is compromised? The above matrix could be the starting point.

More on quantifying risk in a future post!


1 comment:

Unknown said...

It still surprises me greatly that businesses do not look at their insurance when they undertake risk management or a risk study. If a project or product is worth the risk, it is worth looking at insuring it. A good insurance broker will engage with underwriters to provide insurance for all manner of things that many business owners don’t consider.

Clifton Johnson @ Insuring The Product