Do you lock your business doors at night?
Do you lock your business doors during business hours?
What should and SMB look at to determine the level of security it needs and the preventive measures it should take to protect the business?
We have all heard of the CIA, right? Well, maybe. There is another commonly used acronym for CIA that is called the “Security Triad” and if you search the internet for it you will find lots of references to it like this article in the TechRepublic. In the context of the security, CIA stands for Confidentiality, Integrity and Availability. These three areas are used very much like the three constraint areas commonly considered to bound project management. Those constraints, known as the “Project Management Triad”, and they are Scope, Cost, and Time. The idea behind theses triads is that if you make a change in one of the elements it impacts the other two. For the Project Management Triad we may see Quality as a fourth element that lies in the middle of the triad. See below:
For the project manager use of the triad this is a good way to visualize the three main elements that may be controlled to manage a project to successfully completion and the impact that varying these different elements may have on quality. I do not want to minimize the importance of quality but I have created my own view of how I see combining these competing triad constraints, my view of this relationship, I replace Quality with the Security Triad.
The reason I created this view is to highlight impact to the normal constraints under which we must typically address security issues. To demonstrate the use of the constraints let us look at they can be used when looking to answer some of the questions I started with in this post.
Do you lock your business doors at night?
Most businesses usually lock their doors at night because it is safe to assume that the intent is to lock unauthorized people out (Confidentiality) of the business during a time when the owner only wants authorized people with a key to get into the business.
Do you lock your business doors during business hours?
While this is a silly question, let us look at the reasons that businesses typically do not lock the doors during business hours. First of all, if the business building is occupied locking the doors would be a safety hazard to any people in the building that may need to leave the building in an emergency (Availability). It also would prevent customers from getting in the building (Availability and Cost). Of course, unauthorized access to the business would be prevented (Confidentiality).
The point of the above is to highlight for you the need to balance these constraints. Each set impacts the other and each element in each triad impacts the whole. If you lock all the doors all the time you may raise the Confidentiality for the business but Availability suffers and there may also be impact on Cost, because there may be loss of business because Availability has been reduced for customers. What I want you to take away from this discussion is the strong interdependence that each element of the triads has on the other elements. While contemplating the implementation of security measures, the business should try to include the impact on any other dependent elements before making a final decision. The homework involves identifying what the detailed things are that are part of each triad element.