I often explain that Information Security focuses on Information Assets.
Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable than the hardware which processes it.
-- Adm. Grace Murray Hopper, USN Ret.
Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.
The thing is there are differing types of information and differing types of containers for them.
I often quote the example of businesses that failed with 9/11 even though they had good backups of all their databases and operating data and were using easily replaceable commodity hardware. What was lost, what wasn't even documented, were the business processes that were known to the people who died in that disaster.
But consider a laptop (since they are often the focus of risk and are often stolen and the data on them lost) and consider we are talking about INFORMATION security management systems when we disuss ISO-27000.
That laptop, newly arrived from the vendor, is, from the POV of the accountants, at the peak of its value, even though it hasn't been unboxed yet. If at this point it was stolen, then the accountants and
management might be miffed but there is no INFORMATION on it.
Its information value is ZERO
The risk here is that your procedures for stopping laptops being stolen are deficient.
Now lets move 3 years on. The laptop has seen regular use and is loaded with corporate information. From the POV of the accountants it's value on the books has been depreciated and its of no value.
If it is stolen then yes, your procedures for stopping laptops being stolen are still deficient, but from the POV of the ISMS the laptop is loaded with corporate information.
Its information value is enormous.
From the POV of the ISMS the hardware is a container.
From one POV people are containers as well. The point of my 9/11 story was that unless you document your procedures then people are the containers, the only containers, of that information.
Ultimately, containers (even human ones) can be replaced but their functioning (even human ones) relies on the information being available for the new containers to function with. Just like if you replace your laptop.
OK, so that's a bit brutal, but it emphasises the point of INFORMATION being the asset.
A risk to the information may - or may not - involve a risk to the container. But a risk to the container does not necessarily mean a risk to the information.
If the information on the laptop is encrypted and backed up, then it is not the information that is lost or disclosed. The ability to deal with the information is interrupted and that interruption must be thought of
as incident, so figure the risk of that. But the laptop can be replaced and the information restored.
Just make sure you have the processes/controls that address the points in that last paragraph.
- Does ISO 27001 compliance need a data leakage prevention policy? (infosecblog.antonaylward.com)
- Glasgow City Council fined £150,000 over loss of SEVENTY FOUR laptops containing taxpayers' personal details (dailyrecord.co.uk)
- Accelerate your ISO 27001 project (vigilantsoftware.co.uk)
- What is Governance, Risk and Compliance (GRC)? (itsdavinci.wordpress.com)
- Information Security Risk Management and ISO 27001 - An interview with Information Security Professional Tony Drewitt (vigilantsoftware.co.uk)
- Laptop stolen from Packard Hospital (paloaltoonline.com)