Risky Business
Article 12/97
Most of the time, this space is dedicated to the technical policy and practice of security for your Stratus computer. In this issue, let's focus on the business aspects of computer security.
If you follow this column or have attended talks I've given at STRATAGY meetings during the past ten years, you know I like to use a definition of a data security problem published by IBM's Data Security Support Programs: "The accidental or intentional (but unauthorized) modification, deletion, or disclosure of data or the loss of ability to process it." This is what I call the seven bad things that can happen to you.
How can these bad things happen? There are a number of documented cases involving employee revenge, industrial sabotage, extortion attempts, terrorist and political groups, and hackers (well-meaning or not ...). You also have to take into account physical threats, such as fire, flood, and earthquake. According to a survey conducted by the Computer Security Institute of San Francisco, physical threats (15%), dishonest employees (10%), disgruntled employees (10%) and outsiders (5%) only represent about 40% of the total exposure of computer systems. The majority (60%) comes from human error!
Even if you discount "attacks" on your system, most problems actually result from honest employees just making a mistake. Think about your system for a moment. Have you developed a policy for access control to protect your critical files? Have you checked the system to make sure the ACL structure matches your policy? Have you checked your ACLs against your registration database for all combinations? How many privileged users do you have? Do they all understand the consequences of the powerful privileged commands? Do your users share accounts? Do you check security logs for patterns of problems? These are all issues that have been discussed in this space in previous newsletters.
If you manage a computer system, you have some responsibilities for securing the system. First and foremost is a business responsibility to the company and its owners. In addition, your industry may have special legal and regulatory controls that you must abide by. Finally, there may be ethical and social responsibilities based on the data you control, such as health care records.
The first step in implementing data security should always be a risk analysis. At this stage, you try to attach some monetary value to various losses. What if we lost today's transactions? What if we couldn't process data for a day? For a week?
The second step is to develop policies and procedures to mitigate that risk. There are three ways to do this: avoid, assign, assume. You avoid risk by taking steps to make sure that the loss never occurs. This includes the technical measures you can implement on the system to avoid the problem (ACLs, passwords, fire control systems, locks, etc.). You assign risk by passing it off to someone else, such as an insurance company. You assume risk by "self-insuring" (if this loss happens, it will cost us some amount of money). Your decision of what to do here is based on your risk analysis. Find an answer to reduce the risk that doesn't cost more than the value of the potential loss.
Finally, you must implement the policy you have chosen through training, monitoring, and enforcement.
Since the cornerstone of this effort is risk analysis, the next issue of the newsletter will describe a technique for conducting your own analysis.
| 
