My fellow CISSP and author Walter Jon Williams observed that
Paranoia is not a part of any mindset. It is an illness.
Ah, Walter the literalist!
Yes I agree with what you say but look at it this way
“We’re paid to be paranoid” doesn’t mean we’re ill.
It’s a job.
Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can’t let go, then its an illness whatever it is.
“We’re paid to be paranoid”
Its a job. You don’t pay us Information Security Professionals to be pollyannas, to have a relaxed attitude. Continue reading On ‘paranoia’ – revisiting “Paid to be paraoid”
I often explain that Information Security focuses on Information Assets.
Some day, on the corporate balance sheet, there will be an entry
which reads, “Information”; for in most cases the information is
more valuable than the hardware which processes it.
— Adm. Grace Murray Hopper, USN Ret.
Some people see this as a binary absolute – they think that there’s no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.
The thing is there are differing types of information and differing types of containers for them. Continue reading Confusion over Physical Assets, Information Assets in ISO-27000
On the ISO27000 Forum list, someone asked:
I’m looking for Risk statement for each ISO 27k control; meaning
“what is the risk of not implementing a control”.
That’s a very ingenious way of looking at it!
One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?
Ingenious aside, I’d be very careful with an approach like this.
Risks and controlsare not, should not, be 1:1. Continue reading About ISO 27001 Risk Statement and Controls
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I’m asking about a true risk assessment framework not merely a checklist.
Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.
When does something like these stop being a check-list and become a framework?
COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard but in reality its a framework.
The message that these two frameworks send about risk analysis is
Context is Everything
(You expected me to say that, didn’t you?)
I’m not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.
Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we’re in (though I don’t think its that simple).
The trouble is that RA is a bit of a ‘hypothetical’ exercise. Continue reading Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …
No, I don’t think this is a good start.
Its ignores such fundamentals as policy, change management, awareness, management reporting, risk assessment and risk tolerance …
And much like that. Continue reading Security Posture Assessment resources