RE: RAID 5 drive replacement schedule

["Rivest, Philippe" <PRivest () transforce ca>]

The purpose of IT is to abide by the rules and decision made by the data
owner (be it system or entity owner). No design should be done, before you
know the classification of the data simply because they may be no need for
redundancy or they may be specific needs.

You stated it back wards when you said:
- My thought is that at some point it comes down to system design and basic
IT considerations.

Also you are incorrect with this statement:
-Simplified it seems to me that the entire purpose of IT is to ensure
availability.

The purpose of IT is to respect the CIA in regards to the need of the company
or data owner, no more or no less. IT is only an organization that services
the needs of the data/system owner in a technological manner.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : Nick Vaernhoej [mailto:nick.vaernhoej () capitalcardservices com] 
Envoyé : 25 juin 2008 10:16
À : Rivest, Philippe; security-basics () securityfocus com
Objet : RE: RAID 5 drive replacement schedule

Philippe,

I have been sitting here typing up one response after another, each time
ending up deleting the whole thing and starting over in an attempt to make
cases illustrating how availability is not always a security concern.

My thought is that at some point it comes down to system design and basic IT
considerations.
But this argument is inadequate. Just because it is within IT to design
redundancy it doesn't mean that it isn't a security concern.

My issue with this criteria is then, that it now sounds like IT is a subset
of security. Not an equal or the other way around.
Simplified it seems to me that the entire purpose of IT is to ensure
availability.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

-  -----Original Message-----
-  From: Rivest, Philippe [mailto:PRivest () transforce ca]
-  Sent: Wednesday, June 25, 2008 8:26 AM
-  To: Nick Vaernhoej; security-basics () securityfocus com
-  Subject: RE: RAID 5 drive replacement schedule
-  
-  Im not to sure about which part of my previous post you think is up to
-  interpretation, if you could clarify that would help.
-  
-  But for your scenario:
-  
-  If I understand correctly your scenario, I know it's a resume, but it
-  is
-  flawed in the basic concept of availability.
-  
-  If you have a safe box, with a door and a lock on it. No body can
-  access the
-  box and it is only available to the key holder (hence confidentiality
-  and
-  integrity could be assumed to be good). If this is the situation you
-  stated
-  then here is the concern for availability. What if the key is lost?
-  What if
-  the door lock is damage and can no longer open?
-  
-  If you go about to keep a second (back up) key pair, you would
-  consider this
-  availability safeguard. If you had another way to get in the room with
-  the
-  box, that would also be considered a backup safeguard for
-  availability.
-  
-  
-  Hope this helped.
-  
-  Merci / Thanks
-  Philippe Rivest, CEH
-  Vérificateur interne en sécurité de l'information
-  Courriel: Privest () transforce ca
-  Téléphone: (514) 331-4417
-  www.transforce.ca

This electronic transmission is intended for the addressee (s) named above.
It contains information that is privileged, confidential, or otherwise
protected from use and disclosure. If you are not the intended recipient you
are hereby notified that any review, disclosure, copy, or dissemination of
this transmission or the taking of any action in reliance on its contents, or
other use is strictly prohibited. If you have received this transmission in
error, please notify the sender that this message was received in error and
then delete this message.
Thank you.