I see information as being like a glass vase you have put on a three legged stool. The stool is standing on uneven ground, in a river of melted chocolate (yes, I'm peckish). If any leg is the wrong length, the vase will fall and be swept away. If the seat is too low, the vase will also be swept away. If the seat is too high, you won't be able to see the vase, and you may break it trying to get at it. Now, you may not be bothered about losing the vase, but then again you may. Depends on the vase.
The three legs of the stool represent the three main attributes of information: Confidentiality, Availability, and Integrity. The uneven ground represents your different tolerances of threats to those three attributes. The chocolate river represents the threats to your information. The length of each leg is the amount/severity of controls which have been applied to protect the information's availability, confidentiality and integrity. The space you decide to put between the bottom of the seat of the stool and the chocolate is your risk tolerance. If the vase is swept away or broken, that's an information security incident. This can be because the seat is uneven, or the seat is too low, or too high- not being able to see it is analogous to having so many security controls that you cannot do your work effectively, and breaking it while trying to get to it is analogous to creating an incident as a consequence of requiring overly strong controls (eg complex passwords which people then write down on Post-Its).
The role of infosec is to work out how uneven the ground is, and to help you get the legs to the right length, also bearing in mind the likely strength of the chocolate river now and in the future. Which means that you're always at risk of an unexpected chocolate tsunami, but hey, that's life...
OK, this isn't a perfect analogy, but hopefully it helps. Or makes you crave chocolate. it does imply that there isn't a "perfectly secure" situation, just one which is suitable to your organisation's needs, attitudes and risks.
No comments:
Post a Comment