Thursday, April 8, 2010

Risk Management

The principles of maintaining a system secured are old as information itself. As long information has been around, ways for preventing information from reaching unwanted hands have been highly reinforced. Due to technology increase, it makes systems more vulnerable to different methods, also known as vectors. Once a system administrator tries to find out what went wrong with the system, sometimes it is too late. For this case, one must be aware of the latest technology involved in your field. Ways of maintaining system secure are changing everyday but principles will never change. Some principles are straightforward to understand and to perform because they do not include too much technical background.

One of the most important concepts of data security is to have availability. How can something be secured if it has been deleted due to a weather incident, human negligence or a malicious act? The first step is to back data regularly. Data backup is perhaps the most antique way for preserving data. There are different categories of backups: full, differential, incremental and delta backup. They differ in the amount of data and when is preserved. The second step to prevent data disasters is to have the proper equipment. Having a UPS (Uninterruptible power supply), having proper job practices, such as not bringing food to the workstations, and policies help an organization to prevent data disaster.

The disaster recovery process has many methods in which helps an organization preserve their data and not endangering it negligently. Other than making proper backups, using proper equipment and procedures, there are also other ways that blend into the same process. Anticipating risks, planning a strategy, and a post-disaster plan helps the organization to act accordingly to such an act. There are two kinds of risk managements. Quantitative and qualitative. Quantitative risk management determines the impact of threats by providing clients with advice, knowledge, and tools necessary to adopt innovations. Qualitative management risk is the separation or categorization of risks. They are categorized in three ways: low, medium and high following a scale from one (being the less severe) to ten (most severe). Some of this scales rely on models. Threats can be divided in categories as well. They can be natural, physical, network human and eavesdropping threats. One must understand the equal importance to those threats. There are no less or more important threats, they are all the same because they all face critical destruction of data. Even though a company might disagree to this concept I understand why. A company with a limited budget cannot spend time fixing every whole that might be possible in a system. They can only fix those holes they see the most eminent.

Lastly, the people aware of the security holes varyies from company to company, but I personally think it must be done accordingly and very cautiously. Critical information in the wrong hands can lead to more hands on that vulnerability and might lead to total disaster. Only certain personnel must be told about the security vulnerabilities and/or breaches and give them a solution. If no one is able or capable to determine what went wrong, they will less likely know what to do to fix them. Some white-hat hacker organizations try to break into corporation systems and offer them help to fix them. In a movie I watched yesterday called “En Busca de Los Hackers” (Seeking for Hackers) – Spanish version, a group of Spanish white hat hackers said that offering themselves to help companies with no hard evidence that somebody has broken into their system does not work. Every company have turned them down. The only method, for them, is the illegal approach. They break into the system first, put the flaws in a disc explaining how they found it and present it to companies for hire. 1 out of 9 companies hired them. No wonder there are vulnerable systems all around the world. If people, including corporates have that fear about hackers, what can they do to make their systems better. Of course, there are bad people out there, but not everybody who call themselves hackers are really what they are.

In this cyber world full of vulnerabilities it is hard to know who is in which side of the road. The only solution for a company is to back up their data daily, that way if they ever lose something they only lose the revenue of a day worth of work, thus controlling how much money they might lose. It is not a matter of if, it is a matter of when. Every system in this world has been compromised at least once in this history, that means no system is silver-bullet for an organization. There are security bases and procedures of course, and they try to minimize the risks as less as possible to save company time and critical data. Only remember one thing, anybody with proper knowledge, a computer connected to the Internet and time, can break into ANY system. One of the reasons is because companies do not encrypt data that goes through the networked medium. Companies seek flexibility, and convenience and these have a price. The price might be more than what they were looking to achieve, and the price is their privacy lost.

Sources:

http://www.it-observer.com/best-practices-securing-your-enterprise.html

http://en.wikipedia.org/wiki/Risk_management

“En Busca de los Hackers” – Seeking for Hackers ( Spanish Movie)

No comments:

Post a Comment

Your thoughts are a goldmine which flourishes within our ever-changing society. Please, post your ideas, constructive feedbacks and clarifications here: