[ISM3 Users] Tuesday Insight: Environments

Adrian Wiesmann awiesmann at somap.org
Wed Jul 11 10:03:19 CEST 2007 

Hello

>> "All conceivable" and "too much" are emotive terms, Vicente.
>
> You are right.

This is the dilemma I mentioned. What makes you sure that your decisions
are the right ones? More data theoretically means potentially exacting
interpretations. But there is no guarantee of course...


>> I would argue that comprehensive, accurate and up-to-date (a.k.a. high
>> quality) data on information assets means better informed and hopefully
>> more accurate management decisions.
>> A high quality information asset inventory/database, shared
>> amongst various departments, can be used for multiple purposes e.g.:

Absolutely. This is the problem with my model. It works with a heap of
data. But IMHO there are three things to consider:

- The data should be there anyway (inventory, etc), so why not use it.
- Access to the data can be scaled and the data can be "reused". (As
Gary's list shows.)
- Data can be linked, creating some kind of relationship between the
records (with topic maps as an example). The linking allows for automated
managing and analysing.


> When I think management, I normally think of tactical and strategic
> levels.
>
> Can you imagine a CEO asking a CISO to tell him how are IT systems
> protected and the CISO handing out a copy of the inventory?

No, but I think that was never the question. Scalability is the solution
to this. The CISO needs the details for his decisions and arguments and
shows only the abstract or extract to the CEO.

There is another argument for collecting the data which was not mentioned
before. The collection makes it possible for us to share that data with
third parties. The Open Risk Model Repository (ORIMOR) I am trying to
build is more or less about sharing empirical values. It works much like
the "other-persons-also-bought-this-article" amazon feature. Because
organisations share their risk factors of running Postfix (as example)
this can give the CISO some hint about what risks her environment could
face. It would even allow for comparing running Postfix vs QMail vs
Exchange.

Of course there are many factors to consider and much work to be done. But
we are heading into a direction where we start to interpret (all)
available data which can then be used to analyse a situation and hopefully
results in  exacting results.

Regards,
Adrian

More information about the Users mailing list