The InfoSec Blog

What is the goal behind calculating assets in ISO-27000?

Posted by Anton Aylward

My friend and colleague Gary Hinson said about asset valuation in ISO-27000

So, for instance, it’s hard to say exactly how much the HR database
is worth, but it’s a fair bet that it is less valuable to the
organization than the Sales and Marketing database containing
commercial details on customers and prospects. Therefore, it
probably makes commercial sense to put more effort and resources into
securing the S&M database against disclosure incidents, than for the
HR database.

While Gary is 'classically' right, there's a hidden gotcha in all that.

It is *YOU* that are assigning value, it is the value to YOU.
As Donn Parker points out, this may be quite different from the the value system of the attackers. You don't know their values, motivations, tools etc etc etc.

An “11th Domain” book.

Posted by Anton Aylward

http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm

Gary Hinson makes the point here that Rebecca Herrold makes elsewhere:   Rebecca Herold
Awareness training is important.

I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:

First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths.  "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...

Significant Impact Calculation in Business Risk

Posted by Anton Aylward

My colleague Gary Hinson made the following observation on the ISO 27001 list in August:

There are numerous assumptions and estimations in the risk
assessment process, so all calculated values have quite wide margins
of error. Worse still, there are almost certainly risks or impacts
that we have failed to recognise or assess, in other words we need to
allow for contingency.

Oh,its worse than that!

The problem is that the potential perpetrators are the ones that determine "the most significant risks" of which you speak, in both frequency (when they decide to strike) and impact (how much damage they will do and what they will do with the results of their attacks), not the person performing the risk analysis.

We are debating how to value an asset, book value, replacement value or the value of the process of using it. Well that doesn't matter; its the value to the perpetrator of the attack at counts. What you value and defend might be of no interest to him (or her). Obtaining the desired asset may result in collateral damage.

So long as you focus on a Risk Analysis model rather than a comprehensive plan of diligence and security stablemen you are going to get caught out by these false assumptions.

Face it: the Risk Analysis approach means you have no idea who and where the potential perpetrators are, rational or irrational; when and how they may strike (with a tank, an army, or with false data entry).

But act and calculate as if you do.

You have no idea of the perpetrator's

  • skills
  • knowledge
  • resources
  • authority
  • motives
  • objectives

but the Risk Analysis approach presumes that you do.

I'm sorry, this doesn't make sense and hence arguing about how to calculate the value of an asset doesn't make sense in this context. Its like arguing over how many angels can dance on a pinhead when there's war and famine going on outside.

Enhanced by Zemanta

The CISSP Forum FAQ

Posted by Anton Aylward

CISSP Logo

Its one of those bootstrap problems - the new CISSPs who need to read the information can't get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.

Yes, I know the information is at the (ISC)2 web site, but that's an incredibly difficult site to navigate.

Because of this, Gary Hinson and myself, each quite independently, took the CISSP Forum FAQ and converted it to a web page, adding hyperlinks etc. The two pages are at:

Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members - CISSPs - to contribute.

The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of "social network" that some vendors would pay millions of dollars to own - if it wasn't a closed group that spurns advertising.

The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration - https://www.isc2.org/cgi/cissp_forum.cgi - and sign up.

Technorati Tags: , , , ,

Enhanced by Zemanta