
A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ...
“Primary
assets (business processes and activities, information) … usually the core
processes and information of the activity in the scope” [ISO/IEC 27005:2018 section B.1.2] are the focal
point: that’s what we need to protect. However, in order to do
that, we also need to take care of other matters, including the
supporting/enabling information systems, networks etc. Those have some
intrinsic value (e.g. used but now redundant servers can be upgraded,
redeployed, sold or scrapped) but their main value relates to their roles in
relation to the primary assets.
A topical analogy is “health” – an asset we all need to protect. ]For virtually everyone, it’s clearly primary - #1, The Most Important Thing Of
All. There are many threats to our health (not just coronavirus!)
and we have many vulnerabilities (e.g. we need to breathe, we have
mucosa, we need to interact with the world around us to gather essential
supplies …), while the impacts of health incidents are many and varied (from
‘feeling a bit off colour’ to death). We can’t directly protect
“health” (which is intangible and cloudy), but we can work on various related
aspects that, in turn, support good health – like for instance staying out of
range of coronavirus and flu sufferers coughing and sneezing; staying well
nourished; exercising to maintain physical fitness; thinking about hard stuff
like this to maintain mental agility; being vigilant for the symptoms of poor
or deteriorating health; having the health services, docs, drugs, respirators
etc. to increase our ability to survive disease etc. In infosec terms,
that’s a blend of preventive, detective and corrective controls designed to
protect our continued integrity and availability 😊
Figuring out and managing health risks is complex, multifaceted and
dynamic. There are some things we can’t control at all (e.g. we’re all
getting older!) and many that we can only partially control. The controls
come with costs and drawbacks, different implications, different effectiveness
and benefits. Implementing and using certain controls precludes others
and may even increase the risks in other areas (e.g. “Going shopping” is
allegedly soothing for some shopaholics but means interacting with the Great
Unwashed). The controls have physical and behavioural aspects. There are tools and techniques, individual and societal. There are
assurance aspects (“I take vitamin supplements: am I fitter/healthier or just
poorer? What about these fish oils and ‘high potency’ vits?”) and
snake-oil to be wary of (homeopathy, anyone? Magic crystals? Dancing
naked around the standing stones as we sacrifice a goat?).
It’s
the same with information risks, right? Hey, we even have computer
viruses to worry about! However we have been looking after our health for
millennia all the way back to the primordial soup, whereas infosec - and more
pertinently information risk management - is relatively new, rough around the
edges."
No comments:
Post a Comment