Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
81828384858687888990
2-15
Customer Needs Assessment
Determine Risk Tolerance
Determine Risk Tolerance
An important part of implementing access controls is evaluating your com-
pany’s risk tolerance. What type of data does your company store, and what
are the consequences if a hacker breaches your network security and steals
or damages that data?
The more valuable your network assets are, the more severe the consequences
if network security is compromised. Because companies today rely heavily on
their networks to run their business, nearly every company network stores
confidential customer information and proprietary company information.
However, some customer information—such as credit card numbers—is par-
ticularly valuable.
When you evaluate the information stored on your network, you must ask
yourself many questions. What is the information worth to your company and
its customers? How much effort will hackers make to steal this information?
If you are storing credit card numbers, for example, hackers have a strong
motivation for infiltrating your network. On the other hand, do not assume
that your network is safe from attack if you are not storing credit card
information. For example, information stored about employees as a matter of
course can be quite attractive to identity thieves. Do you collect and store
information about customers? Your organization has an obligation—perhaps
a very real legal obligation—to protect that data. No network is immune from
attack.
You must also estimate the cost of downtime if systems are damaged and
employees cannot use the network. How will downtime affect your company’s
productivity? Can your company continue to operate without impacting ser-
vice to customers?
Damage is higher, of course, if the attack is made public. As part of a study of
475 companies, the IT Policy Compliance Group “conducted benchmarks
focused on the expected financial losses associated with data losses and thefts
that are publicly disclosed.” The compliance group concluded that the
“expected financial consequences” were “changes in the price of stock for
publicly traded firms,” “customer and revenue losses,” and unspecified “addi-
tional expenses and costs.” (Why Compliance Pays: Reputations and Reve-
nues at Risk, a Benchmark Research Report, July 2007, p. 10. You can
download this report at http://www.itpolicycompliance.com/
research_reports/spend_management/.)