Critical Asset Priority
Critical assets are essentially divided into three supporting pillars listed in rank order:
- Human resources
- Data
- Physical facilities
Addressing risks is very similar to knowing your adversary: know the risks, accept the risks, mitigate the risks, transfer the risks, and avoid the risks. It is important to know which events can have a detrimental effect on your organization's assets. Harmful events are best understood when they are quantified in the form of a schedule showing the relationships between assets, threats and their frequency, vulnerabilities, and cost-effective safeguards.
By accepting risks, you are not denying their probability or their impact; rather, you have decided to take measures to protect your assets. By addressing risks, you are committed to implementing cost-effective, asset-protecting safeguards. The most desirable asset safeguard is one that avoids risk altogether, so the asset never suffers diminishment. A subset of risk avoidance is one where the negative impact of the harmful event is postponed, hopefully forever.
The process of transferring risks can also be addressed by implementing safeguards protecting specific assets. An example of a "transferring risk" safeguard is the outsourcing of employee payroll and benefits processing. By passing this responsibility to someone else, accompanied by specific contractual performance requirements, the risk is passed from the original enterprise to the processor. In the event of a critical incident, the asset, risks, and attendant expense are transferred elsewhere.
Mitigating risks is the process by which their probability of happening is reduced. The subset of mitigating risks is reducing their harmful effects on assets. This mitigation process can be highly complex, involving sophisticated strategies, or it can be as simple as instituting a company-wide policy.
In considering risks, the value of a proactive program is not necessarily determined by its complexity and expense. Never underestimate the value of a simple, well-written policy. An example of a simple policy is employee Internet use. Employees, as a condition of their employment, agree that Internet use is permitted only as part of their official duties. Policies, read and acknowledged by each employee, prohibit personal Internet use.
Experience note: An example of a critical incident that can seriously damage business operations is a senior employee, Bob, who gets a little bored after lunch and begins to surf the Internet from his workstation. He is aware of the business-only policy, but chooses to ignore it. Because most of the office is an open bullpen, privacy in his workplace does not exist. After checking his Internet e-mail, he does some online shopping, and because none of his co-workers are looking, he takes a peek at some soft pornography Web sites. He begins to lose track of time and surfs to some sites that are more offensive. While Bob is clicking through some pop-ups, Doris, the office manager, enters his work area. Seeing the Web sites Bob is viewing, Doris remarks that they are very offensive. She reports her experience to her supervisor and visits the local EEO office. This is the third time she has seen Bob browsing pornography at his workstation, and she has reported the matter to her company's management each time. But this is her last straw; she has had enough. Bob has been warned about his pornography browsing but because his technical skills are not easily replaced, his activities have not resulted in adverse personnel action. After exhausting her administrative remedies without resolution, Doris files a civil suit, naming her employer and Bob as defendants. Because the court filings are public, there is significant news coverage and the organization's good image is irreparably tarnished. A large monetary settlement is made and Bob is fired.
One information manager stated, "There is a generally accepted statistic that places risk at an acceptable level: 1 percent. This is a risk. That's all the motivation I need; expect the best, but plan for the worst."
0 comments:
Post a Comment