Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

The following excerpt is a thread from a discussion on Linkedin in the Information Security Community group.

Question:

Hi everyone, Information Security is about protecting the confidentiality, integrity, and availability (CIA) of Information Assets. So can someone tell me, at what point does availability become an issue? for instance, is server downtime an information security incident even if it was due to a technical fault?

Ken Hartman:

Here are my thoughts:

  • This is a question that every company will need to answer for themselves. Every organization has different security needs and different compliance requirements. Thanks for raising the issue. This is an important question that security managers need to ask their organizations to ensure that their security management program is meeting the needs of their organization.
  • The title of the person addressing the availability issue is less important than the fact that someone is ultimately responsible for addressing the root cause of the availability issue.
  • To build on an earlier point, security controls need to ensure that there is a framework for communication and timely corrective action. For many organizations, this may very well be their IT Case Management system.
  • As part of our security awareness efforts, we must create an understanding that security (Including all parts of the CIA triad) is part of everyone’s job. Part of this is by building bridges with the larger IT organization. Calling an availability issue a “security incident” need not shift the responsibility to the security team to resolve it, but should instead highlight how everyone plays a role in security. Securing our organizations is too big of a task for just the security team.
  • Organizations may want to define a “threshold of impact” to use to filter availability issues because “you can’t drain the ocean” and some situations clearly deserve more formal incident handling.

NOTE: Many organizations now consider the intent to cause harm when determining if it is something that should involve the security team versus just the operations team.