How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?
This question and variants of the “What are assets [for ISO27K]?” comes up often and has seen much discussion on the various InfoSec forums I subscribe to.
Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.
The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.
Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.
Many of the ISO27K Assets are things the accountants don’t see: data, processes, relationships, know-how, documentation.
I used to give the example of 9/11 in my presentations. Many of the SMBs and mid-size companies that had offices in the Twin Towers went bankrupt even though the insurance covered hardware loss and they had backups. What was lost was the know-how, the stuff in people’s heads and other intangibles.
Sadly, that’s a good way of looking at the “What is an Asset” question. Treat it like a Business Continuity (as in disaster recovery) question. What do you need to get running again if you had a ‘hot site’ with all the equipment?
There are, I suppose, two there takes on this question.
The first is “how do you record it?”
It doesn’t matter, so long as you do and the information is accessible (since it too is now an asset) and satisfies the Auditor.
The other is “how do you collect the information?”
Perhaps the best way I can answer that is “go google” for the inner workings of SOX. To meet the requirements of SOX (as well as many regulations imposed on banks) business processes have to be documented, the work-flow, the accountabilities and so forth. SOX has a more limited scope but the techniques are well documented because the Big N-1 Accounting firms ended up with processes guides & check-lists they could give to juniors to carry out :-/ Look those up, they’ll tell you who to ask questions of, what questions and how to convert the answers into something meaningful. It isn’t all that you want, but its a start.
Personally I use COBIT. Version 3 has a lot on the who to interview and what to find out; version 4 has many ways of expressing the nature of the information and reporting. version 5 is in the process of being released. Version 5 integrates Value and Risk and is pretty amazing.
What COBIT has done for me has guided the analysis and identification of what information InfoSec needs to operate effectively and what is needed to satisfy the auditors. As ever, you need to consider scope.
- Leading ISO 27001 Roadmap Refreshed – Takes Guesswork Out of Information Security Certification Process (prweb.com)
- 4 reasons why ISO 27001 is useful for techies (iso27001standard.com)
- Build resilience into your management system (deurainfosec.com)
- Free calculator: Duration of ISO 27001/ISO 22301 implementation (net-security.org)
- HR controls during employment and ISO 27001 (deurainfosec.com)
I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn’t it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a ‘sleeper’ for a terrorist organization?
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Oh, right, there are so many of them, that level of investigation is impractical.
- ‘Dead Man Walking’ Tricks Airport into Giving Him Top Security Job (wired.com)
- Airport worker allegedly had man’s ID before death (heraldonline.com)
- Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
- Congress considers threats from airport employees (cbsnews.com)
- Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)
You do do backups don’t you? Backups to DVD is easy, but what software to use?
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a true risk assessment framework not merely a checklist.
Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation…
When does something like these stop being a check-list and become a framework?
COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard but in reality its a framework.
The message that these two frameworks send about risk analysis is
Context is Everything
(You expected me to say that, didn’t you?)
I’m not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.
Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we’re in (though I don’t think its that simple).
The trouble is that RA is a bit of a ‘hypothetical’ exercise.
What’s interesting here is that this isn’t preaching “The Cloud” and only mentions VDI in one paragraph (2 in the one-line expanded version).
Also interesting is the real message: “Microsoft has lost it”.
Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes – it *HAD* to be to have survived that long. (One could say the same about sharks!)
“Keeping desktop systems in good working order is still a labour of Sysiphus ..”
Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.
A prediction, however.
The problem with DOS/Windows was that the end user was the admin and could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same ‘end user in control’ model that we had with Windows. Its going to be a malware circus.
- eWEEK Review: Unidesk Simplifies VDI Deployment and Management (prweb.com)
- Dell Delivers Desktop-as-a-Service (informationweek.com)
- Zenk GmbH to Distribute Unidesk VDI Management Software in Germany (prweb.com)
- The key questions you must ask to save your virty desktop dream (go.theregister.com)
- 6 Common Desktop Virtualization Mistakes (informationweek.com)
- 5 Best Alternatives of Windows 8 (indianbloggist.com)
You gotta love the low-tech solution. It’s really never NOT about people, is it?
Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.
Why the CBK places so much emphasis on technology when the (ISC)2′s motto is “Security transends technology” and why the “people” aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are “about people” and probably have a greater leverage as far as InfoSec “Getting Things Done” (Especially in a stress-free manner_.
As I said previously, I think we’re doing it wrong; and I don’t mean just Risk Assessment!
What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following
RISK is the
PROBABILITY that a
THREAT will exploit a
VULNERABILITY to cause harm to an
R = f(T, V, A)
Why do you think they are called “TVAs“?
More sensibly the risk is the sum over all the various ..
This isn’t just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can’t do better that he has.
A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night.
The ‘pro’ was of course the saving of electricity – all good and “Green“.
The ‘con’ was that this saving would be offset by the cost in time as employees waited for the machines to book and waited while they shut down – the latter to make sure that they didn’t hang.
The article didn’t discuss home users. I’m sure home users would appreciate the savings and be willing to devote the time While many people work from home and many children use computers from home, I don’t think there is a need for an ‘always on‘ computer in the home.
(Unless you count the fridge or the microwave or the VCR clock ..)
Would turning those computers off affect that botnet? Perhaps. I’ve certainly met people who when they learn I’m involved with IT ask me why their computer runs slower than when they bought it. I ask if they run AV or other anti-malware software, purge adware … I rarely hear from them again but when I do its to say that some tool like “Search-and-destroy” told them they had gazillions of malware. And they ask me where it comes from.
I don’t know, I run Linux.
But that argument against turning off corporate machines is specious at many levels. Most of the staff at my clients seem to use laptops rather than desktop machines. They take them to meetings and presentations, sometimes they take them home. All this involves turning off and on. If they don’t take them home at night those laptops have to be locked away, not left on the desk top. That’s been policy everywhere I’ve worked this last decade.
The limiting case was one year I worked in a port-a-kabin.
The sub-zero overnight temperatures meant none of the workstations were operative. So we turned on the cabin heating all the electrics, all the machinery and went to get a coffee (aka “breakfast”). Half an hour later the cabin was warm enough for the electronics to operate. We were not allowed to leave the cabin powered up overnight.
Would shutting down the home machines each night reduce the level of spam? Perhaps. That’s an incentive over and above the Green one of saving electricity. Perhaps some service provider service technician should recommend this over and above regular ‘purges’.
The McAfee report doesn’t make a clear distinction between commercial and residential hosts for the botnets, though it does mention some government agencies and banking institutions in Russia are
malware-laden. The large corporations that make up my clients have always had IT departments that support good front-end filtering and making sure that the workstations have up to date AV software. That being said, I see a lot of people who turn off their AV software. Myth or not, many still believe it affects performance.
Of course I run Linux and I don’t have to worry about rogue ActiveX, and I don’t run attachments I get in the mail and there are many sites I simply don’t visit!
And I turn my home machines off at night.
Related articles by Zemanta
- How to Detect and Prevent Psyb0t, the Linux Router Worm (slumpedoverkeyboarddead.com)
- McAfee: Enabling Malware Distribution and Fraud (readwriteweb.com)
- Spam ‘produces 17m tons of CO2′ (news.bbc.co.uk)
- OS X ‘pirate’ trojan resurfaces (vnunet.com)
- Conficker virus begins to attack PCs (canada.com)
This is somewhat dated, but so what? Most of the points raised still hold valid.
CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”
… and it goes on with the sad-but-true
Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”
Speaking of which:
Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”
How true; how poignant! And we all know the response to that:
Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.
Well heck, who wants to read an article titled:
“Six and a half ways to secure your web site”.
Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.
Its a good week at TechRepublic for security articles.
In the light of a number of threads this last month in the various forums I’m invovled with I found this article particularly interesting.
The real problem with the ROI debate is that it is about convincing management that spending money on InfoSec protection is worth while. The “B-school mentality” of management is that everything can be reduced to numbers, and many people ‘speak’ that language and have troubles with anything not reduced to numbers. I hope they compartmentalise and and their home life s not “by numbers”. (Imagine justifying the cost effectiveness of peanut butter sandwiches in the kids lunchbox!)
But a lot of InfoSec is too abstract for people.
In my presentations I’ve often given the example of the 1950s office: typewriters, ribbons, carbon paper, hanging file cabinets, copies, and mapped them to modern technology like PC terminals, keystroke recorders, hard drives and file file servers, and thumb drives, and shown that the same principles apply to protecting the information whatever the technology.
So I found this a very useful article. People can easily relate to the physical, to their own home situation. We have many centuries legacy of houses, thieves and door locks and once people can map from something they know to to abstract their understanding is easier, and so our justification of InfoSec measures is also easier.
It seems that people usually have logical thinking when they discuss physical security. This is not the case when they discuss logical security.
There are hundreds of companies that have invested heavily into intrusion detection systems but they have a total lack of incident response or policies associated with what to do when there is an incident detected.
When you ask them if they would buy an home alarm system that does not have a siren and does not alert the police they always respond “No way”, however they do this on a day to day basis with their logical security.
There are many other very good follow-ups to this article and I recommend reading though them.