|
|
|
 |
||||||||||||||||||||||||||||||||||
Fourth Manage Your Risk We are now in a position to comprehend the true mean of risk management. It is worth remembering that from time immemorial there have always been spending cuts. We need more " bang for our euro". The speed of technical change is also daunting. For many systems, by the time the first tranche is installed many users already had more powerful computers installed at home. The threat has changed. As a global community we are far more seasoned to the acts of hackers and industrial espionage. In business we require greater flexibility, particularly with e-commerce, and the need to respond quickly to new commercial opportunities. From an acquisition perspective, we have witnessed the transition from bespoke development to the integration of COTS solutions; the transition from cost-plus to fixed price contracts, and the rise of catalogue buying and Public-Private-Partnership arrangements. Moreover, with take-overs and increasing competition, there is a need to share information as well as protect it. However, the advent of new communication channels such as CNN and the Internet has introduced new threats, which have led to the concepts of information warfare and the need to protect our Critical National Information Infrastructures. Risk avoidance versus risk management These transformations highlight the need for security to shift from a stable world of fixed assets, threats and slowly changing, bespoke technology to a turbulent world with rapidly changing assets, a variety of threats and open system technology. This paradigm shift is reflected in two ways: (1) a change in terminology and (2) a change in attitude towards risk. In the former case we used to talk about "Computer Security" or COMPUSEC and "Communications Security" or COMSEC. In the early 1990s these two terms were combined to become "Information Security" or INFOSEC. More recently the term "Information Assurance" has been coined, partly to remind us that the integrity and availability of information is just as important as confidentiality, and partly to reflect its new role as a business enabling technology. In the later case, we are transitioning from a world of risk avoidance to a world of risk management. The difference between risk avoidance and risk management can then be explained with the aid of the above figure. Here, the large wall on the left represents risk avoidance. In this case we build a one-off defence against the threat. It must be strong enough to withstand any threat. It will undoubtedly lead to operational inflexibility and be very expensive to implement. The series of smaller walls, to the right in the figure, represent risk management. In this case the defence is dynamic, being constantly changed in time to reflect the changes in threat. Ideally, the defence should just be adequate to counter actual attacks against valuable assets, or impede them sufficiently to reduce loss and facilitate recovery actions. In contrast to risk avoidance, risk management lends itself to operational flexibility and is inexpensive to implement - you only buy what you need, not what you might need. However, it does require managing. This should not present a grave problem all you need is an Information Security Management System (ISMS), and BS7799-2 tells you how to build one. So what is an ISMS? An ISMS is simply the:
An idealised structured for an ISMS is shown in opposite. It shows the traditional approach to risk management augmented by the addition of a new feedback loop. In scoping the problem, BS7799-2 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. It further implies information policies that clearly identify the business priorities concerning information, and why, and in addition, risk assessments that identify what networks really are, not what people think they are! BS7799-2 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness; it does not assume that they will work as intended. Management should regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the new feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly. |
|||||||||||||||||||||||||||||||||||
|
17 January, 2003 |
|
