Sunday, December 29, 2019
Security risks in protecting an organizations assets - Free Essay Example
Sample details Pages: 6 Words: 1668 Downloads: 2 Date added: 2017/06/26 Category Business Essay Type Argumentative essay Did you like this example? The protection of an organisationà ¢Ã¢â ¬Ã¢â ¢s assets must be based on understanding security risks the only way an effective security solution / services can be found and implemented is by carrying out a comprehensive security risk assessment and security audit, discuss. In this paper, the importance of security risk assessments and security audits to an organization wishing to select the most cost-effective security solution (and security supplier[1]) to protect its assets will be discussed. Prior to engaging with the assumptions which are embedded within the statement at the top of this paper, it is first important to define what is meant by à ¢Ã¢â ¬ÃÅ"security risksà ¢Ã¢â ¬Ã¢â ¢. Donââ¬â¢t waste time! Our writers will create an original "Security risks in protecting an organizations assets" essay for you Create order A succinct definition of the concept has been provided by Landoll (2006, p36), an eminent author in this field of industry, who writes: à ¢Ã¢â ¬Ã
âSecurity risks are a measurement of the likelihood that [an] organizationà ¢Ã¢â ¬Ã¢â ¢s assets are susceptible.à ¢Ã¢â ¬Ã If we accept this definition as the starting point of our discussion, we can immediately assert that, if an organization chooses to employ a proactive[2] security system to protect its assets, then it must necessarily perform an assessment of the security risks to which those assets are vulnerable- if it did not, then it would be unable to select the most cost-effective solution to protect those assets because, simply stated, it would not know what risks it needed to protect itself from. Of course, if an organisation chooses only to employ a reactive security system, i.e. one which is designed to protect assets against security breaches which have occurred previously[3], then a security risk assessment is not necessary- the security risks will be identified from actual breaches which have occurred, and a solution selected on the basis of damage assessment and appropriate safeguard design. We can therefore conclude that, while the protection of an organisationà ¢Ã¢â ¬Ã¢â ¢s assets from new forms of security breaches must be based on understanding security risks, the protection of an organisationà ¢Ã¢â ¬Ã¢â ¢s assets from security breaches which have already occurred in the past requires no real understanding of security risks- the security risk is identified from an actual breach rather than from a risk assessment or security audit. In this regard, the first assumption provided by the statement at the top of this paper, namely that à ¢Ã¢â ¬ÃÅ"the protection of an organisationà ¢Ã¢â ¬Ã¢â ¢s assets must be based on understanding security risksà ¢Ã¢â ¬Ã¢â ¢, must be considered, at least partially, inaccurate. In order to understand the impact of this ina ccuracy, it is important to address the following question: Under what circumstances is it appropriate for an organisation to employ only a reactive security system to protect its assets? While it will not be possible within the limited scope of this paper to provide a comprehensive answer to this question, two important observations can be made: A (solely) reactive model is not appropriate for an organisation whose environment is constantly changing, such as a web-based organisation- the security threats that such organisations are likely to face will evolve, and a purely reactive model would not be able to prevent effectively future breaches. While a reactive à ¢Ã¢â ¬ÃÅ"incident responseà ¢Ã¢â ¬Ã¢â ¢ model may be appropriate for an organization whose environment is simple[4], static and unchanging, that organisation will only be able to reach the conclusion that a reactive model is appropriate either (i) through exercising such a model and discovering that the security risks faced by the organisation are few and non-evolving; or, (ii) by performing a security risk assessment and discovering that the security risks faced by the organisation are few and non-evolving. No prudent security system architect would ever promote the former of these routes, unless the assets owned by the organisation have such little value that it is not cost-effective to perform a comprehensive security audit[5]. Accepting that the assumption of the statement at the top of this paper is not accurate for organizations with low-value assets, existing within a static, non-evolving environment, let us now turn to consider the second assertion provided by the statement at the top of this paper; namely, that à ¢Ã¢â ¬ÃÅ"the only way an effective security solution / service can be found and implemented is by carrying out a comprehensive security risk assessment and security audità ¢Ã¢â ¬Ã¢â ¢. The only contentious element of this assertion, and semi-contentious at that, is that the carrying out of a comprehensive security risk assessment and security audit is the only way to find an effective security solution. After all, no authors have ever argued against the usefulness of security risk assessments; in fact, quite the contrary: à ¢Ã¢â ¬Ã
âAssessments are the key tools for uncovering security issues that may have been well hidden before. Often, an assessment leads to a compelling event that increases internal awareness of your organizationà ¢Ã¢â ¬Ã¢â ¢s security shortcomings à ¢Ã¢â ¬Ã¢â¬ it may uncover a prior, but undiscovered, breach; or a penetration test may à ¢Ã¢â ¬Ã
âcreateà ¢Ã¢â ¬Ã such an event by highlighting vulnerabilities. In addition, assessments can also help create budget resources for security enhancement à ¢Ã¢â ¬Ã¢â¬ besides identifying problems, an assessment report can provide justification for making the investment necessary to solve the problems.[6]à ¢Ã¢â ¬Ã The question is whether or not it is possible to select a proactive security solution without first conducting an assessment and audit. It seems clear that it is not: As we have argued earlier, without a comprehensive assessment and audit it will not be possible to identify and quantify each security vulnerability, and as such it will not be possible to create a bespoke and comprehensive security solution. We must therefore conclude that the state ment at the top of this paper is wholly accurate in regard to proactive security systems, while only partially accurate in regard to reactive security systems. In the last part of this paper, let us turn to examine how this statement could be improved to render it a more useful piece of guidance. One important point is that, in an evolving organisational environment, in order to ensure that the most effective security solution is maintained, regular security risk assessments and security audits must be conducted. The reason for this is self-explanatory: As the environment changes so too do the potential security risks. It is possible for a previously effective security solution, based upon a comprehensive assessment and audit, to become out-dated. Additionally, an assessment and an audit will not be useful unless the resultant solutions are actually implemented. As Axt (2003, p98) notes: à ¢Ã¢â ¬Ã
âIn the authors experience, more than one manager has nodded in agreement t o proposed solutions without having any intention of adopting the suggested measures.à ¢Ã¢â ¬Ã One final point which should be noted is the importance of employing independent auditors to conduct the security risk assessments and security audits. As Goldman and Orton (2001, p2) note: à ¢Ã¢â ¬Ã
âOnly independent and impartial tests can validate corporate security efforts, ensure that all potential security problems have been examined and exposed and provide the serviceà ¢Ã¢â ¬Ã¢â ¢s clients with objective proof that sufficient due diligence has been exercised in securing their dataCompanies need external expertise to audit their sites Bringing somebody in from the outside creates a greater initiative to find a problem. Having your internal people, who set up the security system, does not only create a questionable initiative for them to find things that are wrong but it might simply be hard for them to do. In conclusion, the author of this paper would argue that the statement at the top of this paper might be more accurately and more usefully presented as follows: à ¢Ã¢â ¬Ã
âThe protection of an organisationà ¢Ã¢â ¬Ã¢â ¢s valuable assets ought to be based on understanding security risks the best way an effective security solution can be found and implemented is by instructing a firm of independent security analysts to carry out regular comprehensive security risk assessments and security audits, and to ensure that their proposed security solutions are implemented by senior management.à ¢Ã¢â ¬Ã References and Bibliography: Landoll, D., 2006. The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. Auerbach Publications, Taylor Francis Group: New York. IBM, 2007. Acquire a global view of your organizationà ¢Ã¢â ¬Ã¢â ¢s security state: the importance of security assessments. Security Solutions White Paper. Available on-line at https://www-935.ibm.com/services/us/iss/pdf/ assess_white_paper.pdf Last accessed: 05/10/08, 13:45. Goldman, N. and Orton, E., (2001). The Critical Role of Independent Security Audits. Pp1-11. ADDSecure.net Inc. Available for download from https://www.addsecure.net/audit.rtf. Tippett, P, and Oà ¢Ã¢â ¬Ã¢â ¢Neill, D., 2001. Managing Information Security Risk. ABA Banking Journal, Vol. 93, 2001. Bedard, J., Graham, L. and Jackson, C., 2005. Information systems risk and audit planning. International Journal of Auditing 9 (2): 147-163. Axt, D., 2003. From Recommendations to Results: From Walk-Through to Implementation, a Well-Planned Security Assessment Can Ease the Way for a Successful Security Upgrade. Security Management, Vol. 47, March 2003. White, D., 1995. Application of Systems Thinking to Risk Management: a review of the literature. Management Decision, Vol. 33, No. 10, 1995, pp. 35-45. Edinburgh: MCB University Press Ltd. Footnotes [1] The selection of a suitable supplier can be as difficult as the selection of an appropriate security solution: Not all suppliers will have the necessary expertise or the products in place to meet a proposed solution. [2] One which seeks to protect an organisationà ¢Ã¢â ¬Ã¢â ¢s assets from potential security breaches, i.e. breaches which have not yet occurred but which are likely. [3] For example, the incident response model. For a brief summary of this model, see Microsoft (2004, fig. 2.1) available on-line at https://technet.microsoft.com/en-us/library/cc163152.aspx. Last accessed 04/10/08, 15:00 [4] It is unlikely that a reactive model would be appropriate for a complex organisation. As Tippett and Oà ¢Ã¢â ¬Ã¢â ¢Neill (2001, p74) write: à ¢Ã¢â ¬Ã
âIncreasing complexity = increasing vulnerability. The more complex a system gets, the more vulnerable it becomes to attack. Vulnerability increases exponentially as complexity increases.à ¢Ã¢â ¬Ã [5] It should be remembered that security audits can be rather costly (e.g. two American researchers discovered that: à ¢Ã¢â ¬Ã
âThe price of a truly comprehensive technical audit might start from US$40,000 to $85,000 and require extensive time and resources to run and implement consultants recommendations.à ¢Ã¢â ¬Ã Goldman and Orton (2001, p6)), and it is for this reason that a small organization with few valuable assets might decide to avoid an audit and simply operate a reactive model. [6] IBM, (2007, p4)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.