Risk exists in all IT systems and all facets of life. Risk cannot be avoided, but conversely you cannot worry about everything. We tend to be most concerned with risks based on our primary business activities, validated data, and industry best practice. Any risk that may effect out primary business activities must be scrutinized carefully; the impact from those risks manifesting themselves may be grave. So must any based on validated data; for example a bank branch that has had 5 armed robberies in the past 2 years is likely to see another, and a server that has been attacked several times in the past is likely to be attacked again. Also, any risks that have manifested themselves for similar organizations to ours must be considered as well. If many organizations similar to ours have seen a specific attack directed against themselves, we may as well in the future.
For any given risk, we may choose to accept it. The risk may not be so great or perhaps any countermeasures are too expensive; do not now a positive return on investment (ROI). For example one company uses telnet access servers, and telnet sends clear text passwords and usernames over the network. It was determined that the risk in their particular case was not so great and it was accepted. There are many risks we will simply accept
An organization can also mitigate or reduce a risk through appropriate controls. For example, there is risk in connecting to the Internet but that risk can be reduced through the use of a good firewall, intrusion detection system (IDS), and anti virus. These are all examples of security controls used to mitigate risk. Sometimes risk is mitigated to the extent that that risk no longer exists.
It is also possible in some cases to transfer risk to others, for example through insurance. In fact this is often called the "insurance model" and does apply in some places in IT. Insurance in IT is becoming more and more common.
One option which is not acceptable, is sticking your head in the sand and claiming there is no risk. Just as a chain smoking friend of mine claims his smoking does not constitute a health risk to himself, this is foolish and illogical.
There will always be risk, but by rationally accepting, reducing/mitigating, and transferring risks as appropriate, we can reduce risk to an acceptable level.
I write on many topics like information n security and family issues. See some of my other writings at Annie Costume and Annie Oakley Costume.
Article Source: http://EzineArticles.com/?expert=Harold_Baldwin
No comments:
Post a Comment