When pondering the CIA - not the Central Intelligence Agency, but IT security's core tenet: confidentiality, integrity and availability - those working in information security usually think about defending against malware, breaches and the insider threat. But the "A" in CIA often involves just making sure an organization's hardware functions properly.
That's a lesson learned by the United States Postal Service, which lost data earlier this year because it backed up essential data on the same hardware where the information orginally resided rather than on separate hardware.
When a USPS computer failed last April 3, according to an alert issued by the United States Postal Service Office of Inspector General, the original data - a USPS Computer Incident Response Team database used to record and monitor computer incidents - and the backup version were both lost.
That lost database wasn't deemed "critical," so it wasn't backed up to offsite hardware, in accordance with Postal Service policy for critical data. Kimberly Benoit, USPS deputy assistant inspector general for information technology and data analysis, says the database was "essential" for the Postal Service to help assure the security of its systems.
Loss Could Cause Added Work
The incident involving inappropriate backup procedures disclosed in the alert might not be an isolated case. Benoit says other groups at the Postal Service could use other essential databases that might not be properly backed up. "The practice of backing up data on the same hardware could result in the loss of essential data, increased work-hours to recreate the databases, and an inability to perform analyses in the event of hardware' failure," she cautions.
When the hardware failed, Benoit says, "the database was not available to perform analyses of computer incidents that would enable management to more effectively monitor and resolve new incidents in a timely manner. In addition, the Postal Service could not maintain an electronic incident repository."
Postal Service managers responded swiftly and took corrective action by updating and implementing backup procedures for a new CIRT database when they learned of the hardware failure.
NIST's Ron Ross explains why risk management is hard.
Impact of Risk Assessment
Would a proper risk assessment have led the Postal Service to use different backup procedures for essential databases? Perhaps not. "It's not always a slam-dunk; that's why risk management is hard," says Ron Ross, a fellow at the National Institute of Standards and Technology, who oversees NIST's risk management guidance.
In conducting a risk assessment, Ross says organizations must look at four sources of threat: cyber-attacks, natural disasters, intentional or unintentional errors as well structural failure - which was involved in the Postal Service case.
"Is it legitimate to consider all four of those threat sources? Absolutely," Ross says. "But we have limited resources we're dealing with, we have limited amount of time, so it becomes a risk-management decision to look at 360 degrees around the loop, so to speak."
And that could mean that USPS managers decided that the risks posed of hardware failure wasn't worth the time and effort to back up the data on another box at another site.
As Ross suggests, based on a risk assessment, other factors could have been deemed more crucial to secure the agency's information assets, and that's where the USPS put its resources. Perhaps its decisions based on a risk assessment helped prevent more serious problems from occurring that would have weakened the credibility, integrity and availability of the Postal Service IT systems. We'll never know. It's not always evident that steps taken to mitigate vulnerabilities work.
What we do know is that the IG recommended that the USPS no longer back up essential data on the same hardware as where the original data is stored. And that's what Chuck McGann, USPS manager of corporate information security, says the Postal Service will do by next April. He says he's advising database administrators and others to back up noncritical information stored on mainframes, servers, workstations and mobile devices to hardware situated at an off-site location that's not subject to the same threats as the original information.
That's sound advice that doesn't require a risk assessment, but common sense.