Determining the Next Step

At this point in the project, you should take a moment to thank everyone who has been involved. It is important that all members of the team go their separate ways feeling as positive as possible, knowing that they helped contribute to the bettering of the overall security of the organization. It may be appropriate to hold a final meeting at which you thank everyone for their contributions and express enthusiasm that they all played a part in building a more secure organization. Based on the findings, some of these same individuals may be involved in implementing controls to improve security.

Finally, don't forget that trade-offs must sometimes be made between business objectives and security. Your job here is to make recommendations. Management is ultimately responsible for determining what is right. These trade-offs may not always be resolved in favor of security; management must make the decision to accept risk. For example, your findings might indicate that e-commerce activities put the organization at a greater risk of attack or denial-of-service. However, this may be weighed against data that indicates the organization may have a 60% growth in profit by doing business over the Web. Therefore, management may decide to accept the risk because there is such a high potential for added growth and revenue. In the end, there is always a trade-off between security and usability, as shown in Figure 9.2.

Figure 9.2. Security and usability trade-off.

Accidents, errors, and omissions account for much higher losses than deliberate acts. Some studies indicate that more than 60% of information losses are caused by accidents. Only 35 to 40% are deliberate acts. Of this percentage, most of this activity can be traced to internal sources. That's rightthe people you have the most to fear are those closest to you! Therefore, controls that reduce the potential for these harmful effects of insiders should always rank on your list of recommendations. Building good policies and policy enforcement mechanisms is critical. Security against deliberate acts can be achieved only if a potential perpetrator believes there is a definite probability of being detected.

Категории