Page 623 - StudyBook.pdf
P. 623
Operational and Organizational Security: Incident Response • Chapter 11 607
Not all equipment is at risk from the same threats. For example, a workstation at
a receptionist’s desk is vulnerable to members of the public who may be able to
view what is on the monitor or access data when the receptionist steps away.
Equipment is also vulnerable to accidental or malicious damage, such as when a user
or visitor accidentally knocks a computer off a desk or spills something on a key-
board.A server locked in the server room would not be subject to the same type of
threats as the receptionist’s workstation, since access to the room is limited to mem-
bers of the Information Technology (IT) staff. Because the level of risk varies
between assets and locations, risks must be evaluated for each individual device.
When designing security, it is important to strike a balance between the cost of
security and the potential loss—you do not want to pay more for security than the
equipment and data are worth. Servers are costly and may contain valuable data, so
a higher level of security is needed to protect them. On the other hand, an old
computer in the Human Resources department that is used for keyboarding tests
given to prospective employees needs little or no protection.
When determining value, it is important to not only consider the actual cost of
something, but how difficult it is to replace.While certain data may be of relatively
low cost value, it may still be important to a company and difficult to replace. For
example, a writer may have the only copy of a book on his hard disk. Because it
has not been published, the actual value of the book is minimal, and the cost of
creating the book is limited to the time it took the writer to type the material.
However, if the hard disk crashed and the book was lost, it would be difficult to
replace the entire book. Even if the writer rewrote the book, it would be unlikely
that the new version would be identical to the original. By determining the diffi-
culty in replacing data, you are better able to determine its non-monetary or
potential value.
Another point to remember is that equipment is often devalued yearly for tax
purposes, making it seem that the equipment has no worth after a certain time
period. If this is the only measurement of worth, security may be overlooked in
certain areas, because the equipment does not seem to have any reasonable value.
However, older systems may be vital to an organization, because they are used for
important functions. For example, a small airport may use older systems for air
traffic control such as takeoffs, landings, and flying patterns of aircraft. Because
these older systems are essential to normal operations, they are more valuable than
a new Web server that hosts a site with directions to the airport.When deter-
mining value, you must look at the importance of the equipment as well as its
current monetary value.
www.syngress.com
