Availability = not my problem!

Well OK, "not my problem" is perhaps a little harsh. But not my responsibility could be more accurate.
I think it is definitely time to rethink 'Availability' (as in the classic security 'CIA' triangle of Confidentiality, Integrity, and Availability) as being the responsibility of the Security area.
Availability, and it's bigger, uglier cousin Disaster Recovery, have long been a part of the Information Security mantra, from entry level CompTIA Security+ level up to CISSP or CISM level. Why is this so?

While you could argue that availability is a security responsibility in the case of a DoS attack, does it remain a responsibility if, for example, a lack of disk space causes a server to come crashing down? Does that mean capacity planning is now Security's responsibility? Or if the single power supply dies and a server or router is unavailable - should Security have ensured that the critical system has sufficient redundancy to avoid an outage due to hardware failure?

I think in the dim dark past that Availability fell under security so it would be 'somewhere' and someone would be thinking about it - even if the 'security guys' weren't the most appropriate people.

I don't think the CIA triangle is going anywhere soon, but in my opinion you're better off concentrating on Confidentiality and Integrity and leaving Availability and DR to the IT department...


Well, that's the CISSP exam out of the way... On to CEH?

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme