- The 10 dumbest mistakes network managers make
- Six Windows 7 features admins will actually care about
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- More porn sneaks onto the iPhone
Whatever happened to the A in CIA? That's what a reader asked recently, referring to the tried-and-true information security triad: Confidentiality (keeping secrets secret), Integrity (ensuring information is not modified) and Availability (keeping electronic doors open and IT shops humming).
Availability has become perhaps the most pressing post-9/11 security issue for network-centric firms. Today, responsibility for network availability is being moved from information security staff to others within the corporate organization. Some firms view availability as part of disaster avoidance. For example, how do you pick a location for a back-up data center? What possibilities must be considered? Acts of God, to be sure. But now, acts of man are in the forefront of our paranoia. Package bombs? Severed transportation or communications links? Shoulder-launched missiles fired from buildings or hilltops? Is availability the responsibility of information security professionals, counterterrorism experts or disaster-recovery teams?
Other companies consider availability a part of business continuity. Some cities now provide utility company specialists to coordinate with local companies and critical infrastructures to ensconce mission-critical power and communications lines in concrete tubes under the streets and ostensibly away from danger. Facilities-management staff often take the lead here, even though the pre-eminent aim is to provide real-time backup, redundancy or fail-safe data centers.
What I see in too many organizations is turf building, budget grabbing and "stovepiping" - vertical building of a hierarchy within a company that has no contact with other divisions or departments. This is the antithesis of what is needed to meet modern, coordinated threats that transcend corporate-divined organizational boundaries.
A new security triad, CPP, redefines the three main areas of security: Cyber (computer, network and information security), Physical (the wires, silicon, glass and structures) and People (employees, consultants, suppliers, partners and anyone in contact with your company). Under this triad, stovepiping of responsibilities and functions creates unnecessary overlap, wasted resources and a mediocre security posture.
Comment