The first step in improving the security of your system is to answer these basic questions:
What am I trying to protect and how much is it worth to me?
What do I need to protect against?
How much time, effort, and money am I willing to expend to obtain adequate protection?
These questions form the basis of the process known as risk assessment. Risk assessment is a very important part of the computer security process. You cannot formulate protections if you do not know what you are protecting and what you are protecting those things against! After you know your risks, you can then plan the policies and techniques that you need to implement to reduce those risks.
For example, if there is a risk of a power failure and if availability of your equipment is important to you, you can reduce this risk by installing an uninterruptable power supply (UPS).
Risk assessment involves three key steps:
Identifying assets and their value
There are many ways to go about this process. One method with which we have had great success is a series of in-house workshops. Invite a broad cross-section of knowledgeable users, managers, and executives from throughout your organization. Over the course of a series of meetings, compose your lists of assets and threats. Not only does this process help to build a more complete set of lists, it also helps to increase awareness of security in everyone who attends.
An actuarial approach is more complex than necessary for protecting a home computer system or very small company. Likewise, the procedures that we present here are insufficient for a large company, a government agency, or a major university. In cases such as these, many companies turn to outside consulting firms with expertise in risk assessment, some of which use specialized software to do assessments.
Draw up a list of items you need to protect. This list should be based on your business plan and common sense. The process may require knowledge of applicable law, a complete understanding of your facilities, and knowledge of your insurance coverage.
Items to protect include tangibles (disk drives, monitors, network cables, backup media, manuals, etc.) and intangibles (ability to continue processing, your customer list, public image, reputation in your industry, access to your computer, your system's root password, etc.). The list should include everything that you consider to be of value. To determine if something is valuable, consider what the loss or damage of the item might cost in terms of lost revenue, lost time, or the cost of repair or replacement.
Some of the items that should probably be in your asset list include:
Backups and archives
Manuals, guides, books
Commercial software distribution media
Communications equipment and wiring
Safety and health of personnel
Privacy of users
Public image and reputation
You should take a larger view of these and related items rather than simply considering the computer aspects. If you are concerned about someone reading your internal financial reports, you should be concerned regardless of whether they read them from a discarded printout or snoop on your email.
The next step is to determine a list of threats to your assets. Some of these threats will be environmental, and include fire, earthquake, explosion, and flood. They should also include very rare but possible events such as structural failure in your building, or the discovery of asbestos in your computer room that requires you to vacate the building for a prolonged time. Other threats come from personnel and from outsiders. We list some examples here:
Illness of key people
Simultaneous illness of many personnel (e.g., flu epidemic)
Loss (resignation/termination/death) of key personnel
Loss of phone/network services
Loss of utilities (phone, water, electricity) for a short time
Loss of utilities (phone, water, electricity) for a prolonged time
Theft of disks or tapes
Theft of key person's laptop computer
Theft of key person's home computer
Introduction of a virus
Bankruptcy of a key vendor or service provider
Bugs in software
Subverted third-party personnel (e.g., vendor maintenance)
Random "hackers" getting into your machines
Users posting inflammatory or proprietary information on the Web
Risk assessment should not be done only once and then forgotten. Instead, you should update your assessment periodically. In addition, the threat assessment portion should be redone whenever you have a significant change in operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or undergo other major changes, you should reassess the threats and potential losses.