We rely on three core resources to protect information and other critical assets: people, processes and technology. We utilize extensive technology in the form of firewalls, anti-virus software, intrusion detection systems, encryption software, etc. The technology is managed through security practices, procedures and policies. And all of this is dependent on people to make it work.
The irony is that these very resources are also the source of Threats and Vulnerabilities for the organization. For example, operational risk is defined as, "[T]he risk of loss resulting from inadequate or failed internal processes, people and systems or from external events [i.e., fires, storms, earthquakes, etc.]" Risk and resources are one and the same. While a business may utilize a firewall to protect information from unauthorized access, a defect in that firewall could lead to the loss of the very information it was intended to protect. The operations manager we depend on to ensure processes are followed can be the source of significant losses when the manager decides to cut corners and ignore critical controls. As a result, we need a clear process to ensure that the resources to protect information do not become the source for losses.
©2009 ISRMC, LLC