Extras din curs
To believe the news media, there are a host of cruel and omnipotent hackers out there who can totally
destroy any system they set their minds to, spreading total devastation upon whoever and wherever they wish. The
slightest freak of nature - heavy rain, a fire, a date on a calendar - can wipe any system out entirely. This is not the
case: the devastation is not total, the destruction is not complete there are countermeasures which can be brought to
bear to avoid this disastrous outcome.
Introduction
There are a number of very real risks to information systems, but they are not absolute. There is a chance of
any system being subject to attack, but it isn’t certain. You are not subject to the whims of the attacker or of nature,
there are many things which can be done to mitigate the losses.
Risk management is the total process of identifying, measuring, and minimizing uncertain events affecting
resources. This paper was written to help in the objective analysis of the risk management process.
Evaluating What Is At Risk
Every asset has an associated cost. The cost of physical assets should be the at least the replacement cost, which
should also include inflation rates. Categories that should be considered are:
Facilities: All buildings, air conditioning, furnishings and other support equipment. Excludes any asset
more properly classifiable in another asset category. Think of things like "fire" or "flood". Other
possibilities include earthquake, bombs and chemical contamination which causes the EPA to close the
facility. The cost associated with computing resources can be the cost to run the resource for a given time
period, or by estimating the time required to rebuild/compile, test and re-install.
Equipment: All information system equipment located in the contiguous area. Does NOT include
equipment that would NOT be lost, say, in a fire that completely destroys the computer facility such as
relay equipment under a manhole cover or mounted on a telephone pole outside of the facility. Everything
that you had to buy and install in the center- you should be able to get the purchase price real easy. And
check the maintenance agreement - there may be some proviso in there amongst the warranty information.
Software: All programs and documentation that would be lost if the computer facility was completely
destroyed. This can be broken down into:
Commercial - You bought it, you can consult your receipt. Check the warranty
information, because it may be replaced for free in the event of disaster.
Proprietary - You developed it yourself. How much would it cost to re-create it?
Records and Files: All magnetic media data files that would be lost if the facility were completely
destroyed. Simply count and multiply. The information content of those items is covered next.
Data and Information: An arbitrary value methodically applied to represent the value of all data and
information maintained in the computer facility; including any losses that might occur were the data
compromised but not necessarily destroyed.
For estimating the costs of the data itself, talk to the information owners: find out how much time
and resources would be required to replace it (if they need to replace it all). Cost time and resources - the
procurement department should be able to cost staff time when needed. One measure is the labor needed to
recreate it. To this should be added the "opportunity cost" -- the money unearned because one is busy
recreating instead of proceeding with other business. Try to estimate impact on the business: ask questions
such as: "can you do your work without this data? If not, can the company operate without revenue until
you get the information back?" and so on. Estimate cost of this impact (taking into account intangibles such
as loss of business, loss of reputation, etc.). Internal/external auditors should be able to help do the cost
estimating.
Information results from the processing of data. Although there are ways to quantify and
characterize data, measuring the value of information is more difficult. Often a small amount of
information will have greater value than large amounts of other information. The need to design costeffective
information protection architectures adds new urgency to this classic problem. There is no one
metric that applies to all circumstances, but an approach using multiple metrics, each looking at one aspect
can still be useful. Although it would be nice to have a simple way of assigning an absolute value to
information, it may be more useful to assess value is relative to some context including the uses that are to
be made of it as well as the actions of competitors or enemies.
Preview document
Conținut arhivă zip
- Risk Management.pdf