100% Security is a fallacy. In reality one can never get an organization 100% secure. Only when the Systems and Data are off-line, not connected to any other device and kept physically secured and monitored, or alternatively when it is totally shut down, can one assure it would be 100% secure. Nothing would be 100% secure the moment it is online, connected to a network of devices and/or to the Internet and subject to access by people, or other devices directly, indirectly or remotely. Security and emerging threats will need to be continually assessed and addressed to assure desired level of security.
Desired level of security
The key to “Secure” is by establishing a “Desired level of security”. Increasing the level of security (controls) will directly impact the user convenience (e.g., availability, accessibility etc.,.). The “Desired level of security” for each Information System or a component of an Information system in a complex environment can be achieved by performing the “Business Impact Analysis” a.k.a. BIA. BIA has to be signed-off by the Data Custodian or the Business Owner. BIA as an user fillable form or questionnaire should be laid out in simple business terms that a Business Owner could understand; however the data collected there-in should arrive at the “Desired level of security” across the “Confidentiality, Integrity and Availability” the three pillars of Information Security. Since the Information is collected, processed and maintained for the Business, Business Owner is the most appropriate person to dictate the security requirements in the business language.
I can provide more information and details on BIA if anyone is interested. Let me know by commenting
Leave a Reply