If you don’t measure it, you can’t protect it

Posted on July 19, 2012 by rlockard

 have always felt safe in my home until a few days ago I had locked myself out of my house. I spent about 30 minutes looking for a spare house key my wife may have left in a car that did not exists. Finally I made the decision I was going to have to break into my own house. Once I made that decision, two minutes later I was standing in my living room. Sense then, I had a security assessment, changed locks and added some features to make my home safer. The security assessment was a key part of securing my house and telling me where I needed to put better locks and improve sensor placement.

Step one: to do a risk assessment of your environment. With this risk assessment you can make intelligent decisions on the mitigation’s you need to put in place to protect your database.

I always start with this simple template.  First name the high level risk element: Backup tape. Then name the risk: Lose . Then measure the likelihood of a tape being lost from 1 – 10. If you score it a 10 then you are saying the risk event is about to happen if you score the likelihood a 0 then you are saying this is not going to happen. Once you have measured the likelihood of the event then measure the impact from 1 – 10. A score of 10 is saying this will put you out of business and a score of 0 is we can ignore this risk. Now that you know what the risk is, the likelihood and the impact you will may hold off on mitigation and strength. But lets fill in mitigation for now. Encrypt backups and we will give that a strength of 8. I rarely give a score of 10 on mitigation because “stuff happens.” We can add other mitigation’s to the same risk event. All backup tapes will be transferred by bonded courier. Strength 7. By combining the two mitigation’s you have decreased both the likelihood or impact of the risk event.

Identify Confidential Data

The risk assessment should identify sensitive information and how the information moves through your systems. Your database has information that your organization would consider sensitive. This can be PII, Financial Data, Sales data and the list goes on. When locking down information you want to place some focus on confidential information. The likelihood of confidential data leakage may not be greater then other information in your database but the impact of the data leaking or getting corrupted would greater.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply