Risk Analysis and Risk Management

The next step in creating your security policy is to take a good look at the risks you are facing. Ask yourself the following questions:

■ What is the chance of this happening?

This should be done throughout the entire organization, but first, start by listing the big risks, and then work your way down to the smaller ones.You should consider both malicious intent and accidental mishaps. Rate all the risks as low, medium, or high, depending on their chance of happening and the consequences thereof.Two real-world examples follow.

A small business had Internet access through an ISDN connection. A firewall/ router box was used to protect their network, and since the vendor configured it, they thought they were safe. When the configuration was audited, however, it turned out that the box allowed someone to establish a connection if he or she called in on the ISDN line, and get unlimited access to the network. In this case, "incomplete configuration" was the problem. Since configuring is the work of imperfect human beings, the chance of this happening is realistic (medium risk). The consequences were that someone with malicious intent could have brought the entire network down with relative ease.The company was lucky that this had not happened.

A system administrator team of two persons, swamped with work, was often forced to cut corners. There was a lack of electrical outlets in the computer room. Instead of adding additional outlets, they strung an extension cord to solve this problem.This was an accident waiting to happen, and it did. One system administrator, running around solving problems, tripped over the extension cord, bringing all three servers down.The result was that 28 employees had to wait an hour to regain access to the network. In this case, "someone accidentally interrupted the power supply," due to the extension cord lying in the way.The chance of someone pulling the cord is very real (high risk).The consequence was the loss of an hour of productivity.

Calculating the Cost of Risks

An important aspect of risk analysis is considering the monetary losses that a security disruption might cost the business or organization. This is not always as obvious as it might appear to be. Sit down with a few colleagues and try to calculate what it will cost if the BizTalk solution in full production is not available for one complete day.You might be surprised at how expensive this turns out to be, especially if all the hidden costs are uncovered! Think about the following:

■ The number of employees who are unable to work, times the personnel cost for one day.

■ The number of employees who have to work overtime to get things running again, multiplied by the overtime wages.

■ The loss in production, orders, and so forth.

■ The unhappy customers and suppliers, since bad news travels fast and has a tendency to linger.

Another point to consider is to estimate how much time it will take to replace the BizTalk server from the moment it goes down and you find that there is no way to reboot it.You might be surprised how fast time goes! Think about the time it will take to do the following:

■ Get a replacement server in place.

■ Install the bare system.

■ Restore the latest version of the BizTalk solution.

■ Determine if information is lost.

■ Synchronize all systems involved.

■ Test that the whole system is running correctly.

Once the initial risk analysis is complete, your work is by no means done. Risk analysis is an ongoing process that must be audited periodically. After the analysis, it is time to start managing the risks, since that is what security is all about. Focus first on the high and medium risks, and ask yourself, "What needs to be done to reduce or eliminate these risks?" Often, multiple solutions will spring to mind. Make a fair estimate of the cost these security solutions will entail.Take the initial cost for purchase and installation into account, and determine what the operational costs entail, such as maintenance and service agreements. After that, it is simple economics: A security solution that costs less to implement and maintain than the cost involved if the problem it is supposed to protect against occurs is worth implementing. This does not mean that you should always implement solutions that eliminate a risk. Reducing a risk from high to low is, in most cases, sufficient, especially if the cost to do so are small compared to the cost of eliminating the risk.

Eliminating the possibility of some potential problems is often simply not feasible or possible. In cases like this, monitoring the situation is usually the best bet. For example, the chance that someone will try to break into the BizTalk server from inside or outside is slim, but realistic. Trying to eliminate this risk is an uphill battle. However, by using monitoring tools for intrusion detection and log analysis, you will, in most cases, be warned of a break-in attempt before it succeeds.

In the previous two real-world examples, using risk management would easily have curbed the risks. In the first example, a simple audit on the configuration

(see the next section, Auditing) would have revealed the incomplete configuration. It would have cost a few hundred dollars at most to address this risk, much less than what it would have cost if someone had actually breached this security hole. In the second example, using a longer extension cord and taking 10 minutes to guide the cable along the walls would have significantly reduced the risk of pulling out the cord, and would have only cost a few dollars. For about $500, the company could have installed uninterruptible power supplies (UPSs) that would have allowed the administrator enough time to put the cord back into the power outlet, without the servers going down.

Was this article helpful?

0 0

Post a comment