Monday, September 11, 2006

Security and Risk

Recently I got lots of mail from few of my friens specifying that they are interested to write an policies for organization. Soe are interested to know specifically a security policies. Although I explained to then its anot as simple as they think . Their is lots of misconsecptions present in Industry related to Security.

First of all understand that Security is not a firewall or cryptography or a virus scanner; although, they are all components of a security solution. It is a process that examines and then mitigates the risks that arise from your company’s day-to-day activities.
We can say that Its an Tools and techniques that prevent unauthorized people or processes from doing anything with or to your data, computers, or peripherals.
If you think that technology will solve your security problems, then you don’t understand security and you don’t understand your problems.

Security includes a necessary mindset for every employee and specified procedures to follow, in addition to technology, to minimize the risk.

Risks come in a wide variety of forms. Here are some examples:
• Loss of assets (theft)
• Service disruption (business interruption)
• Loss of reputation (disparagement)
• Expenses of recovery (profitability impact)
Shareholders expect managers to protect or enhance the value of the company. Security breaches that affect any of these items violate shareholders’ expectations.

Another kind of risk is just now emerging: the risk of running afoul of the law. Many new laws include punitive measures (usually fines). Three examples from the United States are Graham-Leach-Billey, which affects U.S. financial institutions and requires disclosure of privacy policies customers; the Health Insurance Privacy and Portability Act (HIPPA), which restricts disclosure of health-related data along with personally identifying information; and the Electronic Communications Privacy Act (ECPA), which specifies who can read whose e-mails under what conditions.

You (or your management) can take five approaches with regard to any risk:
• Accept the risk—You must accept the risks in the following two cases:
— You cannot do anything about the risk (for example, a vendor goes out of business or a product is dropped).
— The cost of mitigation is not economical.
• Defend against the risk—You can deploy firewalls, antivirus products, encryption technologies, and so on. You can also establish procedures and policies.
• Mitigate the risk—Even if you assume that there is no such thing as a web server that cannot be broken into, you still don’t have to just accept the risk. Some of the things you can do include the following:
— You can reduce the harsh effects of a successful break-in by being ready to reinstall the web server at a moment’s notice.
— You can take steps to maintain the web server’s security.
— You can regularly audit its contents.
— You can examine its logs.
• Pass on the risk—You can ensure against the risk (sometimes).
• Ignore the risk—This is the only foolish choice. Ignoring the risk is not the same as accepting it. Ignoring it is merely hoping that someone else will be attacked.

Three of these (accepting, mitigating, and passing on the risks) are examples of threat reduction techniques. Reducing the threat is made easier if the proper security stance is selected. With every defense, you will use one of the following approaches:
• Permit nothing (the paranoid approach).
• Prohibit everything not specifically permitted (the prudent approach).
• Permit everything not specifically prohibited (the permissive approach).
• Permit everything (the promiscuous approach).
Of these, the prudent choice makes the most practical sense and is the assumed approach of this book. It is the one that most vendors choose. For example, Cisco access lists automatically deny everything not specifically permitted.

No comments: