Re: Was Re: RAID 5 drive replacement schedule - Now "Availability"

[Adriel Desautels <adriel () netragard com>]

Mike,
	I do agree that coffee is a critical aspect of security and without it 
all other aspects of security fail. Therefore, the coffee machine is 
clearly the most business critical system with respect to its 
availability. An outage there could be catastrophic.

	On a more serious note, I'd never ignore the availability aspect of 
security. I'd be ignorant if I did that.
        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Mike Hale wrote:
> "Is the horse dead yet?"
> Apparently not.  :)  It has some twitches left.
>
> You're correct on your writings about how companies deal with the
> availability issues, and that, for some systems, it's not an issue if
> they go down.  But that is part of the risk acceptance process.
> Whether the system is up and running or not remains an issue of
> availability, which a comprehensive InfoSec plan should deal with.
>
> "In those non-harmful cases the issue falls under the responsibility
> of IT/Networking/Whatever you want to call it."
> You're absolutely right.  Even when it does brings harm it can fall
> under the IT/Network side of things.  But the security plan in place
> should address the availability of that resource, and either seek to
> protect it or accept the risk of it going down.  That's all part of
> the process.
>
> Certainly, your definitions where accurate, but we're discussing (or I
> am, anyway) security from an IT standpoint.  Otherwise, we need to
> start adding in things like coffee makers (the availability of which
> carries the highest priority in my security policy :) ).
>
> To wrap things up, Availability is a part of the InfoSec process.
> You're absolutely correct in that, for some systems, availability is
> of limited concern.  However, decisions like that are also part of the
> risk management process, which is a subset of a comprehensive security
> plan.  What I'm not saying, or which I did not mean to say, is that
> the criticality of an unavailable system is always the same.  What I
> also did not mean to argue is that the original posting necessarily
> fell under the security side of things.  It just looked like you were
> ignoring the availability aspect of security, which is why I thought
> it'd be good to have this discussion.  :)
>
> - Mike