This excerpt is from Chapter 2, Identity Management and Security, from the free e-book, The Definitive Guide to Identity Management written by Archie Reed and published by Realtimepublishers.com. Download
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
the e-book
at http://www.rainbow.com/insights/ebooks.asp.
Risk and trust
When evaluating solutions that enforce security, there is always compromise. Within the security space, this compromise is considered risk management. The reason is that generally the more security you put into place, the less usable the system. In line with that consideration is the acceptance that a system has a value to the organization, which must be secured.
Often the only way to calculate the risk is to use a qualified actuarial representative -- essentially a statistician who computes risks and premiums, generally for insurance policies. Given that this resource is beyond the reach or reality of most organizations, the calculations are done by internal staff as they attempt to define ROI for a project. Calculating such value is different from organization to organization, and project to project, and can involve basic concepts such as the impact of having employees unable to work overtime due to system security breaches, the potential impact of customers (for example, a boycott), or even legal action against the company. Although calculating the value of more physical considerations is fairly easy, determining the cost of service abuse relative to corporate reputation and similar intangible assets can be very difficult. The point is that as you begin to asses the value of the assets that you are trying to protect, it is important that you utilize representatives from across the organization.
Perhaps a more appropriate baseline to begin assessing risk is to ask more generic questions that can be changed as appropriate for your specific situation, along the following lines:
- How secure is my infrastructure? Is sensitive data protected if disgruntled employees gain access to restricted systems or resources?
- How secure are my connections beyond my infrastructure? Can you ensure that your high-value online transactions are binding?
- How secure are my communications within and external to my infrastructure? Are confidential e-mails and files protected from interception by unauthorized employees, competitors and malicious parties?
- Is there a plan to improve security over time?
- Is security actually improving over time?
- Can I transfer risk using different solutions (for example, outsourcing)?
- How does my security compare with that of similar companies in the industry?
- How will I respond to a breach in security?
>> Read the rest of this excerpt from Chapter 2, Identity Management and Security
For more information on this topic, visit these resources:
- Guest Commentary: It's not who you know; it's who you... are
- News & Analysis: Identity management a must for the virtual enterprise
- News & Analysis: Identity management good for bottom line
This was first published in August 2003