The InfoSec Blog

Confusion over Physical Assets, Information Assets – Part Two

Posted by Anton Aylward

So I need to compile a list of ALL assets, information or otherwise,

NO!
That leads to tables and chairs and powerbars.

OK so you can't work without those, but that's not what I meant.

InfoAssetsPhysical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it.  Don't confuse you DR/BC plan with your core ISMS statements.  ISO Standard 22301 addresses that.

This is, ultimately, about the business processes.

How much Risk Assessment is needed?

Posted by Anton Aylward

In many of the InfoSec forums I subscribe to people regularly as  the "How long is a piece of string" question:

How extensive a risk assessment is required?

It's a perfectly valid question we all have faced, along with the "where do I begin" class of questions.

The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn't tell you the detail necessary. You can choose to say "desktop PCs" as a class without addressing each one, or even addressing the different model. You can say "data centre" without having to enumerate every single component therein.

At first.

About ISO 27001 Risk Statement and Controls

Posted by Anton Aylward

On the ISO27000 Forum list, someone asked:

I'm looking for Risk statement for each ISO 27k control; meaning
"what is the risk of not implementing a control".

That's a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I'd be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

Posted by Anton Aylward

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I'm asking about a true risk assessment framework not merely a checklist.


Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.

When does something like these stop being a check-list and become a framework?

COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.

ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard[1] but in reality its a framework.

The message that these two frameworks send about risk analysis is

Context is Everything

(You expected me to say that, didn't you?)

I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.

Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).

The trouble is that RA is a bit of a 'hypothetical' exercise.

All Threats? All Vulnerabilities? All Assets?

Posted by Anton Aylward

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.

"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls

Because its the controls and their effectiveness that really count.

Significant Impact Calculation in Business Risk

Posted by Anton Aylward

My colleague Gary Hinson made the following observation on the ISO 27001 list in August:

There are numerous assumptions and estimations in the risk
assessment process, so all calculated values have quite wide margins
of error. Worse still, there are almost certainly risks or impacts
that we have failed to recognise or assess, in other words we need to
allow for contingency.

Oh,its worse than that!

The problem is that the potential perpetrators are the ones that determine "the most significant risks" of which you speak, in both frequency (when they decide to strike) and impact (how much damage they will do and what they will do with the results of their attacks), not the person performing the risk analysis.

We are debating how to value an asset, book value, replacement value or the value of the process of using it. Well that doesn't matter; its the value to the perpetrator of the attack at counts. What you value and defend might be of no interest to him (or her). Obtaining the desired asset may result in collateral damage.

So long as you focus on a Risk Analysis model rather than a comprehensive plan of diligence and security stablemen you are going to get caught out by these false assumptions.

Face it: the Risk Analysis approach means you have no idea who and where the potential perpetrators are, rational or irrational; when and how they may strike (with a tank, an army, or with false data entry).

But act and calculate as if you do.

You have no idea of the perpetrator's

  • skills
  • knowledge
  • resources
  • authority
  • motives
  • objectives

but the Risk Analysis approach presumes that you do.

I'm sorry, this doesn't make sense and hence arguing about how to calculate the value of an asset doesn't make sense in this context. Its like arguing over how many angels can dance on a pinhead when there's war and famine going on outside.

Enhanced by Zemanta