[ISM3 Users] Tuesday Insight: Environments

Adrian Wiesmann awiesmann at somap.org
Tue Jul 10 12:43:15 CEST 2007 

Hello all

This thread is becoming very interesting. Let me add a few thoughts and
notes:

I agree with Gary when he writes that:

"One more point: the level of analysis is not something one can determine
definitively, once and for all time."

IMHO the level of depth is something which the assessor has to decide from
assessment to assessment. But I am having those thoughts:

- Recuring assessments should always stay the same (depth-wise) so that
the results can be compared.
- Everything in a company is an asset (cable, room, file cabinet, people).
The only question is how much worth is that asset to the company.
- The depth of an assessment can vary depending on the tools and
automatisms the assessor applies. And not only on the needs or
requirements concerning the result of an assessment.

Vicente wrote that:

> Security Management is about establishing processes, in this
> particular case you could create a OSP-26 Enhanced Reliability and
> Availability Management process, which would take care of single
> points of failure like the one you mention.

True. But who or what is telling you that you need such a process? And is
there a big picture where you can see if this process was successfull or
not?


> For a manager (tactical level), you don't want to know *this
> particular* cable is critical. What you want to know is "In this
> environment there are 20 single points of failure, down from 25 last
> quarter"

Which brings me to the word "scale". The management probably don't want to
know anything about network cables. But don't we need that information for
the big picture?

I strongly believe that it is possible to write tools which can abstract
some level of detail without losing that information. IMHO we lack good
and detailed data which allows us to decide on real facts. Everything we
work with is always in some level of abstraction.

Which brings me to the question should we add the network cables to an
assessment or not. Adding them will add much "noise" to an assessment. Not
adding them shows us a wrong image. Of course the management is not
interested in every single network adaptor. But to get the full image we
actually should have the information about those.

Which brings me to the tools. It should IMHO be possible to write tools
which allow us to add network adaptors into an assessment without the
assessor having to "click through all of those".

Of course there will always be the question of abstraction, but I think we
should look at what data we could have and how we could manage that data
without getting lost in details.

Regards,
Adrian
SOMAP.org

More information about the Users mailing list