mailing list archives
Re: Was Re: RAID 5 drive replacement schedule - Now "Availability"
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 23 Jun 2008 12:35:37 -0400
I do agree that coffee is a critical aspect of security and without it
all other aspects of security fail. Therefore, the coffee machine is
clearly the most business critical system with respect to its
availability. An outage there could be catastrophic.
On a more serious note, I'd never ignore the availability aspect of
security. I'd be ignorant if I did that.
Adriel T. Desautels
Chief Technology Officer
Office : 617-934-0269
Mobile : 617-633-3821
Join the Netragard, LLC. Linked In Group:
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Mike Hale wrote:
"Is the horse dead yet?"
Apparently not. :) It has some twitches left.
You're correct on your writings about how companies deal with the
availability issues, and that, for some systems, it's not an issue if
they go down. But that is part of the risk acceptance process.
Whether the system is up and running or not remains an issue of
availability, which a comprehensive InfoSec plan should deal with.
"In those non-harmful cases the issue falls under the responsibility
of IT/Networking/Whatever you want to call it."
You're absolutely right. Even when it does brings harm it can fall
under the IT/Network side of things. But the security plan in place
should address the availability of that resource, and either seek to
protect it or accept the risk of it going down. That's all part of
Certainly, your definitions where accurate, but we're discussing (or I
am, anyway) security from an IT standpoint. Otherwise, we need to
start adding in things like coffee makers (the availability of which
carries the highest priority in my security policy :) ).
To wrap things up, Availability is a part of the InfoSec process.
You're absolutely correct in that, for some systems, availability is
of limited concern. However, decisions like that are also part of the
risk management process, which is a subset of a comprehensive security
plan. What I'm not saying, or which I did not mean to say, is that
the criticality of an unavailable system is always the same. What I
also did not mean to argue is that the original posting necessarily
fell under the security side of things. It just looked like you were
ignoring the availability aspect of security, which is why I thought
it'd be good to have this discussion. :)