Page 671 - StudyBook.pdf
P. 671
Operational and Organizational Security: Incident Response • Chapter 11 655
able threats that may include intrusions, vandalism, theft, or other incidents and sit-
uations that vary from business to business.
There is no way to eliminate every threat that may affect a business.There is no
such thing as absolute security.To make a facility absolutely secure would be exces-
sive in price, and it would be so secure that no one would be able to enter and do
any work.The goal is to manage risks, so that the problems resulting from them will
be minimized.
The other important issue to remember is that some threats are expensive to
prevent. For example, there are a number of threats that can impact a server.
Viruses, hackers, fire, vibrations, and other risks are only a few.To protect the server,
it is possible to install security software (such as antivirus software and firewalls) and
make the room fireproof, earthquake proof, and secure from any number of threats.
The cost of doing so, however, will eventually become more expensive than the
value of the asset. It is wiser to back up the data, install a firewall and antivirus soft-
ware, and run the risk that other threats will not happen.The rule of thumb is to
decide which risks are acceptable.
After calculating the loss that may be experienced from a threat, cost-effective
measures of protection must be found.To do this, you need to identify which
threats will be dealt with and how. Decisions need to be made by management as
to how to proceed, based on the data collected on risks. In most cases, this involves
devising methods of protecting the asset from threats by installing security software,
implementing policies and procedures, or adding additional security measures to
protect the asset.
It may be decided that the risks and costs involved with an asset are too high.
In such cases, the asset should be moved to another location or eliminated com-
pletely. For example, if there is concern about a Web server being affected by vibra-
tions from earthquakes in California, then moving the Web server to the branch
office in New York nullifies the threat. Removing the asset subsequently eliminated
the threat of it being damaged or destroyed.
Another option is to transfer the potential loss associated with a threat to
another party. Insurance policies can be taken out to insure an asset, so that if any
loss occurs, the company can be reimbursed through the policy. Leasing equipment
or services through another company can also transfer a risk. If a problem occurs,
the leasing company is responsible for fixing or replacing the assets involved.
Finally, the other option is to do nothing about the potential threat and live
with the consequences (if they occur).This happens often, especially when consid-
ering that security is a tradeoff. Every security measure put in place makes it more
difficult to access resources and requires more steps for people to do their jobs.A
www.syngress.com
