|
Thus while risk is defined by the threat, it also significantly altered by our vulnerability to that threat and the length of time for which the exposure will exist. If I sit here at this keyboard for long enough then, statistically, one day a lion will find it’s way through three locked doors and then climb up six flights of stairs, but probably not tonight, or this year.
Once we have identified and quantified these three factors we can investigate alternatives for protection against the threat. A suit of mediaeval armour may provide good protection to a knight going into battle, but would be as inappropriate for that African tribesman as it would to the doorman at my city-centre hotel.
Each individual threat must be analysed, the risk assessed and then suitable methods of reducing the risk compared in order to determine the most suitable and cost-effective for the given circumstances.
“Was sir considering chain mail or plate ?” *
Once the selected protection is in place there is always some residual-risk as no protection system is ever perfect. A suit of plate-mail was so heavy that a knight who fell of his horse could not stand up again unassisted, few returned from the crusades.
The remarkable profits made by the companies providing virus protection systems testify to the level of risk that is identified by I.T. management and users today. Yet virus attacks, and even infections, seem to be as widespread and damaging as ever. The risk has increased significantly, and it’s nature altered, over twenty five years.
The relevance?
In order to review the vulnerability of a modern I.T. infrastructure it is necessary to know what threats are in place against the specific installation and translate these into risks. In most large installations this has long since been done, perhaps by Internal Audit, perhaps by External Audit, perhaps less formally. Hopefully all potential threats have been considered and taken into account when defining the installations overall security strategy. Analysis of the results of technical defenses and procedures put in place can be completed by appropriate people to determine what level of risk remains and whether this is within acceptable bounds. For physical risks, fire and flood for example, this is fairly straightforward process requiring knowledge of the local threats and a specific skill-set for analysing the physical defenses and detecting weaknesses.
A somewhat different task is that of determining residual risks associated, not with physical resources, but with the logical exposures of the corporate data held within the computer systems. This involves a understanding of the various ways access can be gained electronically (over networks) to the systems, and local access via consoles, terminals etc. The protection afforded to these potential access paths with respect to the processes and data held is then analysed. Regardless of the wide publicity given by the press to (very real) Internet threats almost all studies carried out over the last twenty five years indicate that the greatest threat in a commercial environment are insiders (employees, consultants etc.) and technical accidents.
Cronos Consulting specialises in the IBM Mainframe installation, analysing the technical system protection which has been put in place and the associated administrative procedures. The objective is to identify those risks which remain and to suggest potential methods of further reducing these risks. The armoured knight on his horse was totally unable to verify that all the straps and buckles on his back were correctly fastened, until they were tested by events on the battlefield! A mainframe I.T. manager can at least protect his back without risking his life, or his career.
|
t’ - but the danger, at least to most of us in Western suburbia, is small, to an African tribesman in the bush however it may be very serious demanding immediate attention. The relationship is risk, which depends on the likelihood that the theoretical threat will will actually materialise in the time-scale that is important to us. To the tribesman that time-scale is probably overnight, within a business it is more usual to consider the risk over one year - the period on which our accounting is based.