Infrastructure management is undergoing a transformation. ITIL can help manage conflicting demands like – “low cost but high service quality”, “ubiquitous access but enhanced security”?

« Introducing Bhoopendra Adhikari | Main | The ITIL Master Exam - V2 Service Manager »

IT Controls: Essential vs. Excellent

Posted by Bhoopendra Adhikari

The Data breach report 2008 from Verizon business risk team shares many useful results some of which are surprising, some commonly known and some encourage us to look at few old things in a new way. The report is debated widely among the IT security community since its release and I am picking few related results here which in my opinion give an insight on a key aspect of your IT controls eco-system:

  1. 83% percent of breaches were caused by attacks not considered to be highly difficult. 85% were opportunistic.
  2. Only 4% of data breaches were discovered by existing event monitoring and log analysis tools. This percentage is nearly same as breaches that were discovered by routine internal audit (3%).
  3. No breaches were noted for systems which were patched within one month of vulnerability identification.

It’s easy to deduce that all of the above are related to IT security and control environment but the common thread which relates the first two is lack of the ‘essential’ elements either in control design or operation. Third one establishes that if you maintain at the least the ‘essential’ (without rushing for deploying the patch as soon as it’s released) you are good. Now like any research document the report has its shortcomings but still it gives everyone of us who is interested in IT controls some food for thought.

 

So ‘essential’ is adequate to prevent most security breaches if the philosophy is applied uniformly to all the required risk areas. What it means is that implementation of an essential set of effective controls to all identified risk elements is far better then applying excellent set to some and ignoring others totally. I use the word effective with a control always, as having a control means nothing unless it’s effective in design as well as operation.

 

Quest for excellence also sometimes make people overlook effectiveness and sustainability of control operation. You can adopt and deploy an expensive, top in line event analysis and monitoring tool (which the vendor promised will bring the desired excellence in security) but if its not supported by a regular and efficient process of analysis and monitoring you will end up having a fake sense of security which a script kiddie can quickly bring to its knees.

 

To wrap it up it’s always a good strategy to apply essential controls, ensure they work well and then target the excellence part. Not only you have a peace of mind that you have a comfortable control environment while you are pursuing excellence but also it’s better to handle the advance pieces of security in a gradual (also different) way then the essentials piece.

Posted by Guest Author on July 22, 2008 09:56 PM |

TrackBack

TrackBack URL for this entry:
http://www.infosysblogs.com/ITSM-service-matters-mt/mt-tb.fcgi/70

Comments

But Bhoopendra, how to control breaches by internal employees because actual breach has been done by them....

Posted by: Varun Goel | August 19, 2008 07:38 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)