Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Citadel100 Outsourcing “The Security Perspective” Keeping Your Business Always Online Page 1 of 6
  2. 2. Outsourcing critical data Outsourcing critical data – the security perspective The terrorist attacks of September 11, 2001 made security an urgent issue worldwide. It was an event that made many high profile companies take security from the “watchman” level to the level of senior management, playing a pro-active part in decision-making, policy and procedures. Any company that plays a role in critical infrastructure, information technology, communications, banking, power supply, etc., is seeing a new level of threat. Analysts indicate that future attacks could involve an attack on computer networks. Many organizations, including national computer networks, are adopting a managed services approach as a means to counter this growing threat. By locating critical Data in purpose built secure environments, concerns regarding unauthorized access, uninterrupted power and constant monitoring can be placed in the hands of dedicated professionals. Identification of a weakness in your company is critical and a risk assessment should be carried out at the earliest possible stage. A risk assessment identifies weaknesses in an organization and puts in place the required countermeasures to minimize the risks associated with the weakness. Simply stated, risk assessment is the systematic process by which an organization identifies, reduces, and controls its potential risks and losses. This process allows organizations to determine the magnitude and effect of the potential loss, the likelihood of such a loss actually happening, and countermeasures that could lower the probability or magnitude of loss. Many Irish companies faced with serious weaknesses in their organizations are realizing that the best option is to out-source their Data storage to a managed service provider who will provide a package that best meets their needs. Risk is the potential for an event that could have a negative impact on business to occur. Such an event can be loss of information, finances, reputation or unauthorized access to your I.T. department. The likelihood of the potentially damaging event occurring depends upon (a) threat and (b) vulnerability. (a) Threat is the potential to carry out actions that are harmful to an organization’s assets. (b) Vulnerability is any weakness that can be exploited by a rival or competitor to cause damage to an organization’s interests. The level of vulnerability, and hence level of risk, can be reduced by implementing appropriate countermeasures. An asset is anything of value (people, information, hardware, software, facilities, reputation, activities, and operations). The more critical an asset is to an organization, the greater the impact its loss would mean to business. Take for example the loss of an organization’s main server/servers. This loss would significantly reduce an organization’s ability to access data. The loss would have greater consequences if it occurred during a key business transaction or if the server was not backed up. Keeping Your Business Always Online Page 2 of 6
  3. 3. Outsourcing critical data Prior to beginning a risk assessment some time should be spent in preparation. Management should be consulted to identify any constraints, determine operating parameters and expectations. Management will best know what and where their assets are and their importance to the organization. The risk assessor should also identify other organizations that have a vested interest in the protection of critical elements of the organization. For example, although an organization’s Chief Technology Officer may have responsibility for his or her company’s network, department heads may also have an interest in the availability and integrity of that network. RISK ASSESSMENT VULNERABILITY Burglary Loss of power Malicious Fire damage THREAT SITE A SITE B SITE C A recent report identified a number of steps required to draw up a risk assessment. 1. Assets. Identifies and focuses on resources vital to the organizations operation. Most assets are tangible e.g., people, facilities, equipment, others are not e.g., information, processes, reputation. In a communications organization, information and automated processes may be more important than many tangible assets. Organizations need to protect sensitive information including information about the functions of the organization and its employees as well as critical processes such as power generation, environment, and financial status. For each individual resource, identify the effect that the loss, damage, or destruction of that resource would have on the organization. The overall value is based upon the severity of this effect. 2. Threat. This focuses on the opposition or events that can negatively affect the previously identified assets. The assessor must rely on data and information obtained from management interviews. The threat is considered in terms of adversaries. Common types of adversaries include business competitors, hackers, criminals, hostile intelligence services, terrorists, and others. In order to assess whether an adversary poses a threat you must determine if they have the level of intent to cause an unwanted event. Keeping Your Business Always Online Page 3 of 6
  4. 4. Outsourcing critical data Just as natural disasters and accidents are treated as threats even though they do not possess intent, cyber events (e.g. viruses and denial-of-service attacks) should also be treated as threats. Any organization that connects critical networks to the Internet must be aware of events in the larger world. When periods of politically motivated protests take place, such as the recent anti-war demonstrations, the infrastructure community may be attacked, physically or via the Internet, regardless of the individual organization’s involvement in the event being protested. Protesters often view multi-national companies as part of the government. Companies or banks may also be attacked as symbols of globalization. Even protests between two foreign nations can spill over into neutral states. Irelands close ties and support for the United States could be regarded as hostile towards states engaged in conflict with the U.S. or aligned nations. Because Ireland is fast becoming a multicultural nation with a large global presence, Irish organizations may suffer from attacks for any number of misguided reasons. 3. Vulnerability. Identifies and characterizes vulnerabilities related to specific assets or undesirable events. The assessor is looking for exploitable situations created by lack of adequate physical / information security, personal behavior, working practice, and insufficient security procedures. Examples of typical vulnerabilities include: • The absence of manned guarding. • Poor access controls. • Lack of updated security patches. • Unscreened employees / visitors. When designing and installing security systems organizations should not count on suppliers alone to build appropriate levels of security. An assessment provided by an independent contractor can provide the organization with an objective description of its vulnerabilities. It is essential that the company I.T. security specialist be involved in the process. This step requires the gamekeeper to take on the role of the poacher. Specifically, the assessor should begin by studying the asset and asking questions such as: “how would I get in there?” Each vulnerability, when considered against who might exploit them, and the assets they may attack, will determine the risk value. 4. Risk. This is where all of the earlier assessments (asset, threat, and vulnerability) are combined and evaluated in order to give a complete picture of the risks to an asset or group of assets. 1. What would our business impact be, if an asset is lost or harmed by an unwanted event? 2. How likely is it that an adversary will attack those identified assets? 3. What are the most likely vulnerabilities that the adversary will use to target the identified assets? By answering these questions we can begin to make an informed judgment of how “at risk” an organization is from unwanted events. We should be able to determine where the major vulnerabilities and threats lie. At this point, we should be able to determine the major physical and cyber risks as well as which of these risks require immediate attention. Keeping Your Business Always Online Page 4 of 6
  5. 5. Outsourcing critical data The risk assessment may lead ultimately to the conclusion that the organization in its present location can simply not meet the recommendations needed to adhere to accepted practice codes. In a world where International standards have become the guiding factor for business operating procedures, non-compliance can be a costly option. Outsourcing as a Countermeasure Option. 100 90 80 70 60 Facility 50 Power 40 30 Security 20 10 0 Present site Site 2 Site 3 The objective of a risk assessment is to provide the company with countermeasures, or groups of countermeasures, which will lower the overall risk to the asset to an acceptable level. By evaluating the effectiveness of possible countermeasures against specific adversaries, you can determine the most cost effective option. In presenting findings to a company, the risk assessor should provide at least two countermeasure packages as options. Each option should also include the expected costs. Upon conducting a cost assessment it may be found that, although initially more expensive, relocation of critical data would save money whereas option B would actually lead to loosing money, critical data and subsequent loss of public confidence. Faced with unattainable requirements regarding power supply, building management and security, the only viable option open to many companies responsible for the supply of critical services is to re-locate their main servers and information technology in a Data Centre offering instant secure access 24x7. The objective of locating in a secure facility is to lower the overall risk to the minimum level. Managed services can identify which vulnerabilities need to be addressed. By evaluating the effectiveness of possible countermeasures against specific adversaries, they will determine the most cost-effective options. Organizations that embrace an in-house approach to risk management need to constantly monitor any changes in their assets, the threat, and their vulnerabilities. As changes appear, so too the need for a new risk assessment, and recommendations for new countermeasure options. The continuous nature of risk assessment demands organizations to develop a risk-aware culture that understands, validates, and implements the security recommendations and countermeasures. New threats will emerge, some from new sources, which may be low-tech as well as high-tech. The resulting risks may appear too quickly to be addressed in a company without the services of a full time security consultant. Keeping Your Business Always Online Page 5 of 6
  6. 6. Outsourcing critical data Organizations outsourcing their critical Data will be free from the need to manage these new risks. Risk management is a regular process to determine the likelihood that a threat will harm a resource and to identify actions that reduce the risk and mitigate the consequences of an attack. Risk management principles recognize that while risk cannot be eliminated, enhancing protection from potential threats and constant monitoring can greatly reduce it. Keeping Your Business Always Online Page 6 of 6