Determining what to protect
Before you design your organization's security plan and implement it, you must first determine what to protect. Then you must determine what threats exist to what is protected. This page will discuss how to determine what to protect and what its value is. Determining the value to your organization of the data you are protecting will help you determine how much it is worth spending to protect your data. This information will both help you determine your security requirements and your disaster recovery policy.
Rate Your Data
Based on your organization's structure, you must determine what the importance and value of your data is. This can most likely be broken down by department and you may accomplish it by sending questionnaires to your department managers through your management. What must be defined is the following:
- What data you have.
- Where it is stored (What server or computer it is stored on and in what directory) - The response may be it is in the I drive in some directory and it will be up to you to determine the server location for the I drive.
- Is it a database or a set of files?
The data importance should be defined in a manner similar to the method shown below:
- How well can you live without your data?
- 0 - I don't care
- 1 - I would like to have it
- 2 - Must have it
- 3 - Can't live without it
- As an organization or department how long can you live without access to your data (for each data item specified)? This may be minutes, hours, days, weeks, months, or years. This information will help you determine if your organization will survive if this data is lost and whether this data is really vital to your organization. It will also help you with creation of your disaster recovery plan and its requirements.
- What is the maximum possible damage in monetary units if unauthorized persons had access to your data and could use it against your organization?
- What is the maximum possible damage in monetary units if unauthorized persons incorrectly modified your data or your data was lost?
This information is best determined by department and depending on the type of your organization, the data may be more or less valuable by department. For example assume an organization with the following departments.
- Human Resources
- Research and Engineering
- Law Department
Consider which department's data would be most important if the organization was any one of a bank, law firm, or auto manufacturing company.
Rating your data and considering the potential monetary loss if the data is destroyed or inaccessible for some period of time will also be instrumental in helping your organization develop a disaster recovery plan.
Consider threats, risks, and possible damage
When evaluating how to defend your data, you will need to consider each threat and the degree of vulnerability to that threat. This is the risk which equals threat times vulnerability. Then consider the cost if the consequences of the threat are realized. This will help determine how much you should spend to reduce your vulnerabilities to each threat.