Well, it may have held off slightly longer than normal, but we knew it would just be a matter of time. This past week my home state of Iowa was pummeled with ice, snow, and bitterly cold temperatures. Although my weekly trek between Des Moines and Minneapolis was delayed by a day, it didn’t take too long for the hard-working road crews to get the highway infrastructure moving again.

Although I have survived my fair share of Midwest winter storms over the years, it struck me how there is similarity between how winter storm contingencies are planned for and how enterprise security should be handled.

In a computing environment, it’s important to perform what is known as “data classification.” This is where data is identified by its criticality to the organization. Data that is public, easily recreated, or has less intrinsic value to the organization (perhaps historical information) typically has less importance than data that would be costly if it were damaged or breached. Most organizations have limited resources (funding, security staff, etc.) and so the more important data gets prioritized first.

This classification is also necessary for our city planners. Obviously, with limited snow removal equipment and plow drivers, there is no way that every road can be cleared simultaneously. Routes are classified according to their importance. Classifications might include interstates, main trucking thoroughfares, secondary roads, and residential streets.

The next task is to perform a risk assessment. This is an important process by which risk is assessed based on a couple of factors: vulnerability and threat. Vulnerability is the possibility of the incident; threat is the likelihood that the vulnerability will occur. By reviewing the classification, the vulnerability, and the threat, we get an assessment of risk. If one of the factors is low then the risk is generally also going to be low, and may even fall in the category of “acceptable risk.” If the cost to secure an asset is more than the business value of the asset, then management is not likely to want to spend the money on it.

In the case of winter, the vulnerability is whether a particular location could get a disabling snowstorm. There is high vulnerability in northern states such as Iowa and Minnesota, but not much vulnerability in the South. Even in places where there is vulnerability, the threat may still be low and may mean that we don’t see it as ‘high risk’ overall. The threat of a winter storm is obviously minuscule during summer months, but high between December and January. Accordingly, road maintenance departments know when to prepare their snow removal equipment for deployment, and to stock up on road salt and snow-melting chemicals.

There are cities that have occasional snowfall. I have been stuck in Dallas Fort Worth International airport when freezing rain has started to fall. The difference in how these locations respond is almost comical. It is like they grind to a halt over an incident that Minneapolis would handle in its sleep. This is because snow removal is not a major threat, and therefore is typically deemed as an acceptable risk. I remember a few years ago when Iowa actually lent plows to another state that suffered a crippling snow storm, and had only 1 or 2 plows of their own (for the whole state!).

When an incident is discovered or predicted, the emergency response teams are called in. They use an Incident Response Plan (IRP) to know how to respond. For computer security, this may mean performing forensic analysis, management notification, or even disaster recovery; for winter storms it is the carefully orchestrated plowing of streets, parking bans, and widespread public notification of school closures.

A post-incident review, designed to analyze how effectively the response teams handled the situation, is the last step to determine if changes need to be made to the response plan. This may include additional notification methodologies, or requirements for new or additional equipment. In 2008, Iowa started to implement laser-guided plows to enable more accurate plowing with less chance of damage to the roads, and to help weary crews who are often faced with 12+ hour shifts.

Occasional risk assessments should also be performed to ensure that the incident is represented with the same level of risk. Risk levels will be impacted by the need to reclassify the asset (data or road), as well as different vulnerabilities, or changes in threat levels.

So, if you live in a part of the world where snow—or any type of large natural event—is possible, imagine how the response teams might be using the very same type of risk management technique as your I.T. security staff.

This entry was posted on Tuesday, December 15th, 2009 at 2:57 pm and is filed under Other, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.