再谈风险、安全和韧性
2年多前在“业务连续性问与答”系列中写过一篇文章论及风险、安全和韧性关系,这个问题还比较好玩:“ 当我们谈安全时,我们谈些什么?当我们谈风险时,我们谈些什么?当我们谈韧性时,我们谈些什么? ”,结论是:“一定程度上讲,风险管理、安全管理、韧性管理描述的是同样的一系列活动,但 风险视角侧重于我们会遇到什么(情景),安全视角侧重于我们做什么(任务),而韧性(反脆弱性)视角则侧重于目标(目标能力) 。”
近期在跟进事件响应和管理相关领域的资料时,读到卡耐基•梅隆大学的 Georgia Killcrece 写的一篇文章,其中论及风险管理、运营韧性、安全管理、业务连续性和事件管理之间的关系,极为精当,下面接录要点分享。 Georgia Killcrece 在文中讲到:
(1) 运营韧性是组织在面临由内部过程故障、人的疏忽或有意行为、系统和技术问题、以及外部事件导致的运营风险时完成任务的能力。 Operational resiliency is the organization’s ability to sustain the mission in the face of operational risks such as those resulting from failed internal processes,inadvertent or deliberate actions of people,problems with systems and technology,external events。
运营韧性依赖于对核心运营风险管理活动(如:安全管理(SM)、业务连续性和灾难恢复(BC/DR)以及IT运营)的有效管理。 Operational resiliency depends on effective management of core operational risk management activities such as security management (SM),business continuity and disaster recovery (BC/DR), and IT operations.)
安全管理SM、业务连续性和灾难恢复BC/DR以及IT是三个独立的领域,它们共同支持和支撑运营韧性。 这三个领域(SM、BC/DR、IT): 彼此依赖完成它们的任务; 共享相同的目标、目的和组织需要驱动的要求; 聚集于相同目标的保护和生产力; 依赖共享、共同的实践。 SM, BC/DR, and IT are three separate areas, but they work together to support and sustain operational resiliency. These three areas (SM, BC/DR, IT) are dependent on each other to complete their missions share the same goals, objectives, requirements—driven by organizational needs focus on the protection and productivity of the same objects rely on shared, common practices.
运营韧性是管理运营风险以确保任务生存的概念,它通过适应新风险和在风险起作用前采取行动来做到。 Operational resiliency is the concept of managing operational risk to ensure mission viability by being able to adapt to new risks as they emerge and acting before reacting.
(2) 风险管理侧重于通过控制风险和管理已发生风险的影响来保持关键目标或资产生产力。 Risk management focuses on keeping critical objects or assets productive by limiting risk and managing the impact of realized risk.
韧性是风险管理的功能,安全是风险管理活动 ,因此安全通过风险管理环节对运营韧性做出贡献。 Resiliency is a function of risk management and security is a risk management activity, security contributes to operational resiliency through the risk management link.
(3) 事件管理是安全管理的一部分,也是风险管理活动。 Incident management is one part of security management and therefore also a risk management activity.
事件管理可被看作是一种抽象的、企业级的能力,可能涉及组织中的每个业务单元。它可以被视为组织更广泛的安全、风险和IT管理活动和功能的一个子集。它通常可以越界进入一般的安全和IT管理任务和实践中。 Incident management, then, can be seen as an abstract, enterprise-wide capability, potentially involving every business unit within the organization. It can be viewed as a subset of the organization’s broader security, risk, and IT management activities and functions. It can often cross into general security and IT management tasks and practices.
具备事件管理能力有助于提高组织的运营韧性。然而,因为事件管理是一项风险管理活动,所以应认识到,技术方案并非响应的唯一重要部分。业务和运营任务的完成必须根据任何响应策略进行平衡,还必须考虑组织过程和人的行为。仅凭技术不能取得成功。 Having an incident management capability in place contributes to the operational resiliency of the organization. Once again, however, since incident management is a risk management activity, it must be recognized that technology solutions are not the only important part of the response. Achievement of the business and operational mission must be balanced in light of any response strategies, and organizational process and human actions must be taken into account. Technology alone does not achieve success.
Georgia Killcrece 的介绍可通过Google或Bing搜索得到,这篇文章写于2005年,在2013年进行过修订,可通过以下链接查阅全文: https://us-cert.cisa.gov/bsi/articles/best-practices/incident-management/incident-management
本公众号 (ID: bcmplus) 专注于业务连续性管理知识的传播和普及,关注应急、连续性和危机管理的朋友可关注本公众号。
由于公众号注册时正处于腾讯政策调整,未能开通留言功能,希望交流和讨论业务连续性管理问题,或获取相关资料的朋友,可长按以下二维码加入知识星球留言和讨论(公众号1月只能发4次文章,也会有一些小观点直接在知识星球而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接