Previous Page | Next Page

  1. Introduction
  2. Your Needs
  3. What to Protect
  4. Security Policies
  5. Security Policy Requirements
  6. Incident Procedures
  7. Security Categories
  8. Software Vulnerability Control
  9. Hostile Software
  10. Network Layout
  11. Traffic Filtering
  12. Mail
  13. Firewall Protection
  14. Network Intrusion Detection
  15. Network Port Scanning
  16. Network Tools
  17. Passwords
  18. Types of Attacks
  19. Protocol Use
  20. Entry Points
  21. Cost
  22. Application Level Protection
  23. System Protection
  24. User Issues
  25. Other Recommendations
  26. Terms
  27. Credits

Determining what to protect

Before you design your organization's security plan and implement it, you must first determine what to protect. Then you must determine what threats exist to what is protected. This page will discuss how to determine what to protect and what its value is. Determining the value to your organization of the data you are protecting will help you determine how much it is worth spending to protect your data. This information will both help you determine your security requirements and your disaster recovery policy.

Rate Your Data

Based on your organization's structure, you must determine what the importance and value of your data is. This can most likely be broken down by department and you may accomplish it by sending questionnaires to your department managers through your management. What must be defined is the following:

  • What data you have.
  • Where it is stored (What server or computer it is stored on and in what directory) - The response may be it is in the I drive in some directory and it will be up to you to determine the server location for the I drive.
  • Is it a database or a set of files?

The data importance should be defined in a manner similar to the method shown below:

  • How well can you live without your data?
    1. 0 - I don't care
    2. 1 - I would like to have it
    3. 2 - Must have it
    4. 3 - Can't live without it
  • As an organization or department how long can you live without access to your data (for each data item specified)? This may be minutes, hours, days, weeks, months, or years. This information will help you determine if your organization will survive if this data is lost and whether this data is really vital to your organization. It will also help you with creation of your disaster recovery plan and its requirements.
  • What is the maximum possible damage in monetary units if unauthorized persons had access to your data and could use it against your organization?
  • What is the maximum possible damage in monetary units if unauthorized persons incorrectly modified your data or your data was lost?

This information is best determined by department and depending on the type of your organization, the data may be more or less valuable by department. For example assume an organization with the following departments.

  • Human Resources
  • Finance
  • Research and Engineering
  • Law Department

Consider which department's data would be most important if the organization was any one of a bank, law firm, or auto manufacturing company.

Rating your data and considering the potential monetary loss if the data is destroyed or inaccessible for some period of time will also be instrumental in helping your organization develop a disaster recovery plan.

Consider threats, risks, and possible damage

When evaluating how to defend your data, you will need to consider each threat and the degree of vulnerability to that threat. This is the risk which equals threat times vulnerability. Then consider the cost if the consequences of the threat are realized. This will help determine how much you should spend to reduce your vulnerabilities to each threat.