Among the first questions that a company is serious when he wants to achieve a greater level of security, one of the most ruthless is what level of security can you get? It is clear that absolute security does not exist but how much is enough? About that same wish to address these lines. We will the understanding that there is an organization, different levels of hierarchy, infrastructure, equipment and all kinds of assets. If we consider that we talk about information security, the first thing you should do is to identify information assets owned by the company. After that, we can start with a series of questions sometimes difficult to answer. The first might be: what events might affect my assets? Suppose you have a datacenter with multiple servers, clearly we would face the problem of running out of power, or without an Internet connection. Depending on the degree of effects of these events in the operation of the business, must take certain steps.
In short, what we are doing is a risk analysis. If we delve further into the matter, we see that many of the typical problems facing a company, often the same as those with the other, so will generally not be necessary to reinvent the wheel, because there are even manuals and different methodologies to address the analysis and risk management.
Either way the discussion is not going to know what affects us, but rather how it affects us and what we can do about it. For example, if a defense against a possible alien attack the data center need a series of anti-aircraft guns, our business will probably get no support it, due to the low probability of occurrence of the incident, despite its potential destructive effect. That is, we can minimize the damage caused by the impact of the threat, but to what extent? This is the problem.
Generally there are risk management, not elimination, as they generally can not be removed (unless you remove the asset affected). As the error, the risk can be minimized but not eliminated. In addition, you can download (for example, by an insurance policy) or accept (accept). The decision will be made depending on how much you're willing to spend. To minimize countermeasures are taken, which are aimed at reducing the damage or impact, or even to prevent its occurrence.
In short, the risk must be reduced to a tolerable threshold for the business. If we admit the possibility of losing a sum of money and the company can sustain, the risk is properly managed. As is known, no security decisions are taken based on the technology but the business continuity and improvement.
0 comments:
Post a Comment