[ISM3 Users] Tuesday Insight: Environments as a management unit

[Vicente Aceituno]

Perhaps you have used "assets" as a way to model the
information systems used in a company.

ISM3 steers away from assets, as they are removed from
the management level of detail necessary for
information security.

An environment is defined as a set of systems in a
single location, with a defined border, under a single
management. This is an useful concept because you can
list the environments in your company and make a graph
similar to the example in ISM3 proper.

Environments are more useful than assets in a number
of ways:

.- The relantionship between systems and who manage
them is kept in focus.
.- Objective and actions taken effect on whole
environments; this simplifies management. You don't
have to treat every single system under your
responsibility individually, and you don't have to
fill your procedures and policies with exceptions.
.- Environments highlight the potential need to move
systems from one environment to another or split
environments between strict and relaxed protection
needs.
.- When an environment's border is not controlled, it
highlights the need to stablish a filterd border (e.g.
firewalls).
.- An environment graph shows both logical and
physical borders.
.- Using assets it is difficult to decide the right
depth. Shall we stop at the application level, or
should we list every single component, starting with
the backend database cluster?

Identification of the environment is necessary to
clarify what is the lifecycle of systems within the
environment, and establish convenient measures to
protect that lifecyle.

So when you model the IT in a company use
environments; they give you the right depth of
modeling.

My best

Vicente


      ___________________________________________________________________________________
You snooze, you lose. Get messages ASAP with AutoCheck
in the all-new Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/newmail_html.html