Warning: include_once(/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php): failed to open stream: Permission denied in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304

Warning: include_once(): Failed opening '/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304
Confusion over Physical Assets, Information Assets – Part Two « The InfoSec Blog
The InfoSec Blog
30May/13

Confusion over Physical Assets, Information Assets – Part Two

So I need to compile a list of ALL assets, information or otherwise,

NO!
That leads to tables and chairs and powerbars.

OK so you can't work without those, but that's not what I meant.

InfoAssetsPhysical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it.  Don't confuse you DR/BC plan with your core ISMS statements.  ISO Standard 22301 addresses that.

This is, ultimately, about the business processes.

In our first iteration/approximation, you should not focus on hardware at all, except for conditions like ‘portable media’ – laptops, USB sticks, smartphones.  The risk assessment process is directed at the information assets only.And having the physical in there will just complicate your job and confuse your focus.

Laptops and the other portable media I mention are special cases. You can’t apply that kind of focus to everything. The data centre, for example, you’re going to have to look at the physical though the eyes of DR/BCP type risk analysis, if at all.

This is where ‘scoping‘ comes in.
If you make your scope too wide, too inclusive, then you’ll never get it done. Maybe, just maybe, in a few years time, when you have a grip on the basics, you can slowly expand your scope.

But right now I think you can safely say that the risks that the DR/BCP is there to address are not in scope.

In my DatabaseOfDotSigQuotes there is this:

You should not ask yourself what policies to write but what
you need to control. If you begin with a list of policies,
you need to adapt the reality to the list. The risk is that
you create a false sense of control of security.
— Jakob Fredriksson

Not quite the wording that applies here, but the right sentiment :-)

You need to have controls that pertain to the information and the business processes that use it. That’s all that *HAS* to be in scope.

Enhanced by Zemanta

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.