[ISM3 Users] Tuesday Insight: Environments
Renato Aquilino Pujol
rap at cesser.com
Tue Jul 10 17:35:43 CEST 2007
Vicente, of course an individual component is only a part of a set or
subset of higher-level components and, by analyzing the different
layers, each one with its inherent metrics, scope, target "audience",
description language and conversion criteria among layer metrics, we're
establishing the different measures of "security" while keeping global
consistency top-down and bottom-up.
Back to your question:
"What is the adequate depth for Security Management?"
I think there's not a single and precise answer for this question as the
main subject, "Security Management", is so variable itself and
cross-related with more than one layer, boundaries are wide lines. I
think Security Management depth will depend directly of the scope and
objectives of the ISMS.
Maybe this kind of questions and the difficulty to get a global
consensus about them keep unavailable ISO 27000 Terms and Definitions,
ISO 27003, 27004 and 27005 ? As long as I know, this is one of the
reasons.
Regards.
Renato Aquilino
-----Mensaje original-----
De: users-bounces at ism3.com [mailto:users-bounces at ism3.com] En nombre de
Vicente Aceituno
Enviado el: martes, 10 de julio de 2007 11:10
Para: ISM3 Users discussion list
Asunto: Re: [ISM3 Users] Tuesday Insight: Environments
Renato, Gary,
Yes, different activities require different modelling depth. The
question I try to clarify is "What is the adequate depth for Security
Management?"
>cable itself is not an "asset", but a network cable connecting
critical network components is
>clearly an "asset" when we must ensure network availability, as we
can identify threads
>against that goal (interferences, unsafe environment, etc).
If you mean individual components are an appropiate modelling level
for information systems, I disagree.
Security Management is about establishing processes, in this
particular case you could create a OSP-26 Enhanced Reliability and
Availability Management process, which would take care of single
points of failure like the one you mention.
For a manager (tactical level), you don't want to know *this
particular* cable is critical. What you want to know is "In this
environment there are 20 single points of failure, down from 25 last
quarter"
For risk assessment, individual physical assets are clearly out of the
question. Too much detail.
Vicente
_______________________________________________
Users mailing list
Users at ism3.com
http://lists.ism3.com/mailman/listinfo/users
More information about the Users
mailing list