The Foundation for Security Management

The foundation of any security program should be based on risk. When safety is considered a theoretical exercise, it is often a counter-proposal. I've seen both in an academic environment in which instructors teach safety concepts such as absolute and in a professional environment in which this absolutist approach lead to conflict, resentment and backlash. A risk-based approach to safety is a practical approach to security. It must first, however, explore two crucial questions: What is the risk and the risk for what? The answers vary from company to company and every organization must go through the process of determining the answers themselves. Without this, organizations tend to seek "best practices" and follow without contemplating their need.

The risk is a chance that changing a weakness, weakness, or lack of security control will be exploited by a threat agent (hacker, employee distracted, natural disasters, etc.) that leads to negative consequences for an organization. In a nutshell, the chances that something bad will happen. There will always be a certain degree of risk, however, a robust security program must be able to reduce to an acceptable level for the management of the organization. This is defined as risk management. I recently had a consultation with a small company that she was about to lose its "IT guy". He handled everything technical to configure Outlook on the desktop to the server to manage the company, who host their mission-critical applications and has been co-located "somewhere". He visited the server several times a month, and apparently no one knew why he went or what he did there. There was no documentation of any kind. He was about to leave in less than a week and were in a state of trying to find a replacement. As seen in this example, the dependencies of a single person are par for the course in small businesses like this, but that leads to considerable risks, especially when the person is unhappy and leaving. My first advice to them was to document it (as best he could) all he has done on a daily basis and why. Hopefully a lesson learned here would be to have his replacement do the same routine.

Regarding the subject of this risk, we must refer to the three fundamental principles of security: confidentiality, integrity and availability. A safety program, regardless of size, should protect against the risk of unauthorized disclosure and modification of corporate data and ensure that both data and resources, if necessary. Risk management must include the data, personnel, processes and physical resources and techniques. The effectiveness of a safety program depends on how addresses and alleviates the risk of an organization faces. First, however, one must identify risks.

You know what risks your business faces? ......