Risk analysis begins with an important question: how concerned do you need to be about security? The answer to that question is provided by your risk analysis. Risk analysis can be thought of a three-step process:
Identifying assets takes into account more than one thing. The first, and perhaps most obvious, is to actually take an inventory and value assessment of all computer and network components. Next, you must identify what you need to protect.
Clearly you need to physically protect equipment from theft and damage, but is that where it ends for your school? Probably not; if the answer was yes, then you would have no concern for either the missing icon or insidious virus in the scenario above. So you also want to protect "soft" aspects of your systems. This may include locking down all desktops, securing a database from unauthorized access, or even denying certain types of information from entering the local area network or desktop computers.
One approach that may help you to think about this is to daydream for a moment. Think about designing the perfect local area network and configuring each computer to exactly meet the needs of your users. If you could, you would love to lock that system into place so that it is that way each time a user uses the system. This should identify what it is you need to protect. If it helps, consider your assets in two categories-tangible and intangible.
Tangible assets are generally items that can be counted and inventoried with a set value. In addition to hardware, software and data can generally be considered tangible assets. Data can be further divided into proprietary data that has development or research value, and personnel data that is of a sensitive nature and would result in violation of personal privacy or possible personal safety issues if violated. Personnel data, which falls under intangible assets, is something that almost every organization needs to be concerned about.
Tangible assets to consider include:
- Computers, computer components, communication equipment, printers, wiring
- Proprietary data
- Backups and archives
- Manuals, guides, books
- Audit records
- Distribution media for licensed software
Take a moment to also consider the intangible assets in your system. Intangible assets are things to which you cannot assign a dollar value, but which should still be strongly considered when developing a security plan for your school.
Intangible assets to consider include:
- Safety and health of personnel
- Privacy of users
- Public image and reputation
- Processing availability
- Configuration information
Each of these things should be considered valuable assets that should be secured.
Do you think hackers might be interested in going through the hassle of breaking into your servers? The likely answer is yes!
You must be realistic about what it is that you are defending against. This parallels other security in our lives. Generally speaking, modest security measures with our house and our car adequately defend against the casual criminal just looking for an easy target. Can you identify the threat in this example? The threat is the "criminal looking for an easy target." This is what you need to focus on in this step of the risk analysis process.
In identifying threats, open your mind to think of all of the things, malicious, accidental, or natural, that could compromise your assets. This may lead you to consider the threat of the water pipes running above the dropped ceiling in the computer lab; the threat to the operation of the system if your only system administrator becomes ill or leaves the school; the threat of your systems contractor or software vendor going bankrupt; the threat of users installing software on the machines in the computer lab; and so forth.
The following list will help you consider the wide range of threats that you may wish to secure your assets against:
- Natural disasters-rain, fire, flood, earthquake, explosion, lightning, building structural failure
- Illness or loss of key personnel
- Simultaneous illness of many personnel
- Loss of utilities (short term and long term)
- Theft of assets
- System configuration changes
- Computer viruses
- Vendor bankruptcy
- Bugs in software
- Subversive employees or contractors
- Labor unrest
- Political terrorism
- Random hackers
- Users posting inflammatory or proprietary information on the Internet
- Spam mail
Consider as a threat anything that would compromise the assets defined in the first step of this three-step risk analysis process.
You have defined your assets-exactly what you need to defend-and you have defined the realistic threats that could compromise your assets. Now it's time to decide how far your organization is willing to go to defend against the threats in order to protect your assets.
Consider two ends of the spectrum for a moment. First, consider taking no measures at all to secure your assets; this will likely result in higher costs of operation. For example, assume one of your assets is the set of icons users expect to find on every computer desktop. If you take no measures to lock down the desktop, a staff person will likely have to continually replace icons on desktops as they disappear, resulting in extra labor and wasted computing time while the workstation is being "fixed." Together, these two factors result in higher costs of operation. It is cost effective to invest some resources initially to secure the desktops so that fewer fixes are necessary and resources are more readily available to authorized users.
Now let's consider the other end of the spectrum-a computer system with the security of Fort Knox. It isn't difficult to see that soon, the cost of security can surpass the value of your assets, thus again raising the cost of operation.
The goal of this third step is to minimize the cost of operation and maximize the return on your systems by finding a balanced approach-one that will protect your assets without outweighing their value or making them more inconvenient or less productive for users.
There is an inverse relationship between security and convenience; that is, as security increases, convenience for the user often decreases. Imagine if you had the security of the White House for your home. Not only would your security cost more than the value of your home, excepting perhaps the value of your family's safety, but you would make it extremely inconvenient for you and your family to use the home.
Find the balance between your assets, threats and how much time, effort, and money you are willing to spend to achieve "adequate" protection. If, or when an incident does occur, you should be able to say "Yes, we knew about that hole, but to have adequately plugged it would have cost us more than the assets affected are worth." It may seem absurd to recognize a threat and choose to not guard against it, but when you realistically look through the list of possible threats, some, like political terrorism, just may not be likely enough to take strong measures against. But it could still occur.
In calculating risk, you are essentially comparing the cost of your assets (or litigation, if the "asset" is data privacy for which you are legally responsible) to the cost of security.
It is important to also note that the cost of security not only includes the hardware, software, and the time required for your technical staff to implement such security measures. It also includes the decrease in productivity caused by the reduction in system performance that inevitably accompanies the addition of security packages. All of these issues must be factored into your calculations to arrive at a valid evaluation of the potential cost of security.