Tip

Identity Management and Security

Written by Archie Reed; Published by Realtimepublishers.com

This excerpt is from Chapter 2, Identity Management and Security, from the free e-book, The Definitive Guide to Identity Management written by Archie Reed and published by Realtimepublishers.com. Download

    Requires Free Membership to View

the e-book at http://www.rainbow.com/insights/ebooks.asp.

Risk and trust

When evaluating solutions that enforce security, there is always compromise. Within the security space, this compromise is considered risk management. The reason is that generally the more security you put into place, the less usable the system. In line with that consideration is the acceptance that a system has a value to the organization, which must be secured.

Often the only way to calculate the risk is to use a qualified actuarial representative -- essentially a statistician who computes risks and premiums, generally for insurance policies. Given that this resource is beyond the reach or reality of most organizations, the calculations are done by internal staff as they attempt to define ROI for a project. Calculating such value is different from organization to organization, and project to project, and can involve basic concepts such as the impact of having employees unable to work overtime due to system security breaches, the potential impact of customers (for example, a boycott), or even legal action against the company. Although calculating the value of more physical considerations is fairly easy, determining the cost of service abuse relative to corporate reputation and similar intangible assets can be very difficult. The point is that as you begin to asses the value of the assets that you are trying to protect, it is important that you utilize representatives from across the organization.

Perhaps a more appropriate baseline to begin assessing risk is to ask more generic questions that can be changed as appropriate for your specific situation, along the following lines:

  • How secure is my infrastructure? Is sensitive data protected if disgruntled employees gain access to restricted systems or resources?
  • How secure are my connections beyond my infrastructure? Can you ensure that your high-value online transactions are binding?
  • How secure are my communications within and external to my infrastructure? Are confidential e-mails and files protected from interception by unauthorized employees, competitors and malicious parties?
  • Is there a plan to improve security over time?
  • Is security actually improving over time?
  • Can I transfer risk using different solutions (for example, outsourcing)?
  • How does my security compare with that of similar companies in the industry?
  • How will I respond to a breach in security?

>> Read the rest of this excerpt from Chapter 2, Identity Management and Security


For more information on this topic, visit these resources:


This was first published in August 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.