Security Managerment

Business Asset Protection

In order to successfully implement a security strategy, management should have a security minded attitude. Security planning and management involves long term strategic planning. The next step consists of doing a risk analysis. After selecting the areas on which to focus, policies and procedures can be defined, as well as measurements that will be used to revise the effectiveness and efficiency of the countermeasures and security mechanisms. The resulting recommendations are then to be implemented, monitored and tested. The results of the compliance checks should eventually be used to revise the original analysis. The life cycle of a security implementation needs to be supported by everyone involved.

A general risk analysis model includes an organization's assets and their value to the organization, the threats it is exposed to and its weaknesses and vulnerabilities. Subsequently, it allows for countermeasures to be set up, and codes of practice, standards and security guidelines to be formulated.

A review boundary is set up. At the core of the review are the assets; external elements to the analysis can include the public telephone network, third parties that have access to internal databases and financial systems, etc. These are supposed to be given and they cannot be modified. Assets now are subject to deliberate threats...for instance an attack and accidental threats (ex. negligence, carelessness, etc). Assets can be hardware, software, physical, or data. There exist dependencies between these elements and it is important to recognize them: unwanted access to one of these components can result in other crucial systems or data becoming exposed. To be exposed to a threat however means that this threat has to have an impact. Factors that can make a threat a reality and harm you have an impact are vulnerabilities. An impact requires an external or internal action to be taken or an event to take place. Unlike accidental threats, deliberate threats are triggered. You must be able to distinguish between motivation and determination: why would someone want to attack the system or organization... how attractive is it? And how far is he/she willing to go? Other factors include an attackers resources and capability. For the appropriate controls to be put in place, these different impacts have to be measured.

Conducting a risk analysis involves determining the value of assets and their dependencies, assessing threats and identifying the safeguards that are already in place. One aspect of identifying threats is gauging the likelihood of their occurrence and the severity of the impact. For the selection of additional or revised safeguards, one should keep the security objectives in mind. In general, any system's implementation has to consider a number of constraints such as: time, technical, financial, environmental, sociological. These have to be identified and will influence the selection of safeguards.

A final step is

...