[ISM3 Users] Tuesday Insight: Environments
Vicente Aceituno
vac at zenobia.es
Mon Jul 9 11:27:47 CEST 2007
Dear All,
It seems that Environment is the most misunderstood concept of ISM3.
Everyone seems to know what an "asset" is; Risk Assessments start
normally identifying assets. Is a server an asset? How about a
database? And a switch? Good, let's start work...
Wait. This is a *wrong* approach. And saying that it is wrong I don't
mean it is incorrect, but *not very useful*. Why?
When looking at an organization we can model it as the sum of all
component assets, but first of all we have to choose the depth of
modelling. Is every cable and connector of a network an asset? If it
is not, Why? Could you model a dog as a set of molecules or as a set
of cells?
Organizations are complex, like a dog is, and they can't be understood
as a set of component parts (when splitting too thin). When modelling
a complex system it is better to find a level where the parts are
still meaningful in terms of the whole system. Using this point of
view, we would model a dog as a set of organs placed in certain places
connected and related in a certain way. The model won't be the dog,
but we will gain a better understanding of the dog than using cells as
"dog components".
Using Environments is often a good way to model IT in a organization.
An environment is a set of information systems managed by a person (or
a team) with defined borders and that serves one or several business
functions. Does it really matter if there are 50 or 70 servers in an
environment? When your are thinking in terms of an information
security management system, not really. What really matters is: What
should we start doing that we are not doing?, How could we do better
or with less resources the things we are doing? What are we doing that
is not providing value? Where is IT providing business value? These
questions can't answered in a meaningful way using servers, switches,
keyboards and so on.
As a result of an assessment, what people do and how they do it will
change (hopefully , for the better). Using Environments for modeling
IT preserves the link between IT systems, the business, and who is
responsible for them.
So it is more useful.
My best
Vicente
P.S: Check my article on Security Metrics in the latest ENISA Quarterly:
http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_06_07.pdf
P.P.S We got an early Tuesday this week didn't we? :)
More information about the Users
mailing list