[ISM3 Users] Tuesday Insight: Environments

Gary Hinson gary at isect.com
Mon Jul 9 23:41:26 CEST 2007 

> It seems that Environment is the most misunderstood concept of ISM3.
> ...
> When looking at an organization we can model it as the sum of all
> component assets, but first of all we have to choose the depth of
> modelling. Is every cable and connector of a network an asset? If it
> is not, Why? Could you model a dog as a set of molecules or as a set
> of cells?
> ...

Hi Vicente.

You have identified a common problem about the appropriate level of analysis
for inventorying and risk-assessing information assets, but I wonder if
"environment" is the best term for a group of assets?  In common language,
"environment" is "the surroundings".  In an IT context, "environment" is
often taken to mean "the IT infrastructure" or "the physical environment for
the computer room", or even "the context in which an application system is
used".  I personally prefer the term "system" as used within systems
analysis, but "system" is usually understood to be the "computer system"
i.e. a mainframe, server or PC, so that's no better.  Perhaps someone else
on this forum has a better idea?

One more point: the level of analysis is not something one can determine
definitively, once and for all time.  It is related to the nature of the
analysis required, and the number of data items we can reasonably analyse.
During the Y2k debacle, for instance (1), we had to analyse 'all' software
for Y2k bugs, therefore we had to inventory 'all software applications' and
'all firmware' which involved checking individual instances of software
(e.g. to make sure that no vulnerable versions were still in use) and
individual items of equipment (with their embedded firmware).  For disaster
contingency planning (2), that level of analysis is unnecessary and in fact
counterproductive.  We might possibly need to know what are the business
impacts if a particular system goes up in smoke but usually we are concerned
about the loss of the whole facility.  In relation to zero-day exploits (3),
we may need to know the disposition of a given piece of vulnerable software
across our entire population of systems.  In other words, sometimes we need
a top-down view (3), sometimes bottom-up (1) and sometimes both ways (2).

Kind regards,
Gary 

PS  Nice piece in the ENISA Quarterly!

Gary Hinson,
Passionate about security awareness
www.NoticeBored.com  
www.ISO27001security.com

More information about the Users mailing list