[ISM3 Users] Tuesday Insight: Environments
Renato Aquilino Pujol
rap at cesser.com
Tue Jul 10 09:48:00 CEST 2007
Hi, all:
Regarding IS Security, an "asset" should be considered "every component of an IS exposed to threads worth to be analyzed to achieve Organization's IS objectives". That is, a cable itself is not an "asset", but a network cable connecting critical network components is clearly an "asset" when we must ensure network availability, as we can identify threads against that goal (interferences, unsafe environment, etc).
I'm pesimistic about getting precise definitions of the boundaries of many terms used in IS security, usually the boundary is not a thin line but a wide one, and its width is determined by the amount of security needed for that particular subset of the IS analyzed. Maybe that's one of the reasons why ISO 27000 Terms and Definitions is not yet available.
Kind regards.
Renato Aquilino Pujol, CISA, CISM
Director Técnico - SGSI -
CESSER Informática y Organización S.L.
Alicante, Spain.
-----Mensaje original-----
De: users-bounces at ism3.com [mailto:users-bounces at ism3.com] En nombre de Gary Hinson
Enviado el: lunes, 09 de julio de 2007 23:41
Para: 'ISM3 Users discussion list'
Asunto: Re: [ISM3 Users] Tuesday Insight: Environments
> It seems that Environment is the most misunderstood concept of ISM3.
> ...
> When looking at an organization we can model it as the sum of all
> component assets, but first of all we have to choose the depth of
> modelling. Is every cable and connector of a network an asset? If it
> is not, Why? Could you model a dog as a set of molecules or as a set
> of cells?
> ...
Hi Vicente.
You have identified a common problem about the appropriate level of analysis
for inventorying and risk-assessing information assets, but I wonder if
"environment" is the best term for a group of assets? In common language,
"environment" is "the surroundings". In an IT context, "environment" is
often taken to mean "the IT infrastructure" or "the physical environment for
the computer room", or even "the context in which an application system is
used". I personally prefer the term "system" as used within systems
analysis, but "system" is usually understood to be the "computer system"
i.e. a mainframe, server or PC, so that's no better. Perhaps someone else
on this forum has a better idea?
One more point: the level of analysis is not something one can determine
definitively, once and for all time. It is related to the nature of the
analysis required, and the number of data items we can reasonably analyse.
During the Y2k debacle, for instance (1), we had to analyse 'all' software
for Y2k bugs, therefore we had to inventory 'all software applications' and
'all firmware' which involved checking individual instances of software
(e.g. to make sure that no vulnerable versions were still in use) and
individual items of equipment (with their embedded firmware). For disaster
contingency planning (2), that level of analysis is unnecessary and in fact
counterproductive. We might possibly need to know what are the business
impacts if a particular system goes up in smoke but usually we are concerned
about the loss of the whole facility. In relation to zero-day exploits (3),
we may need to know the disposition of a given piece of vulnerable software
across our entire population of systems. In other words, sometimes we need
a top-down view (3), sometimes bottom-up (1) and sometimes both ways (2).
Kind regards,
Gary
PS Nice piece in the ENISA Quarterly!
Gary Hinson,
Passionate about security awareness
www.NoticeBored.com
www.ISO27001security.com
_______________________________________________
Users mailing list
Users at ism3.com
http://lists.ism3.com/mailman/listinfo/users
More information about the Users
mailing list