Risk and context

-

Risk tree...for Certification










This being the 3rd in the series about information and cyber security risk; but who's counting?

ISO/IEC 27001:2013 (27K1:13) sets out the requirements for an information security management system (ISMS).  ISO tells us that an ISMS is:
a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
There are some key words and phrases within that statement:
  1. Sensitive company information,
  2. Secure,
  3. People, processes, and IT systems,
  4. Risk management process.
Starting at the top; information, sensitive information to be more precise that if not protected (kept secure) could perhaps result in a negative consequence. Keep in mind though, risk is not just about the negative, it is also about opportunities.

Can 'sensitive' (whatever that means) information actually protect itself, or is there a need to include other components to help protect this 'asset' such as people; processes; and information technology (IT) systems?

A second question; what does sensitive mean? Of course, it is going to mean different things to different businesses; what is sensitive to one may not be sensitive to another. It's all a matter of context, and context is very important.

In order to develop a risk management process the first item on the agenda must be the identification and understanding of the context for which this risk process is to be developed; i.e.: the environment in which the business operates, and is able to function. 

Knowing the context will, perhaps, explain just what 'sensitive' means to the business. It will also tell us the people that may be involved (internal and external), the additional processes that may be required, and given that technology is the one ring to rule them all, what IT systems may be involved, wherever they may be.

Having said all of that there is another oddity to think about; well a few of them, but let us stick with one for the moment.

What is meant by an asset, and in particular an information asset? 27K1:13 does not help answer the question, it doesn't define the term. A quick peek at ISO/IEC 27000:2018 (ISMS, overview and vocabulary) states, "Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected." Going further afield to the National Institute of Standards and Technology (NIST) and its Glossary does not help either.

In which case:
  • Asset, something of value (to the business),
  • Information, any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. An instance of an information type. (NIST)
Therefore:
  • The business that creates, processes, stores, shares, transmits knowledge of its own intellectual property (IP) in the form of data would, one suggests, be referring to an information asset. IP has value to the business, and when in the form suggested, it becomes an information asset,
  • The business that creates, processes, stores, shares, transmits knowledge of personal data in the form of data, this too can be referred to as an information asset. The value in this case is to the data subject, but it is likely to be of value (in a slightly different context) to the business. 
The tools:
  • A device (workstation, laptop, smart phone, pad of some description) that helps a user (or indeed another device) in being able to create, store and then transmit IP is simply that, a tool. 
  • An application sitting on the device (or elsewhere) is yet another tool that facilitates the creation, storing and transmission.
  • The tools are assets (items of value) in their own right, but
  • These tools are not information assets!  
Important: if you have not already worked it out, there is a relationship going on here between the information, the tools, and the user. And this relationship is most important when looking at risk!

Things to take away:
  • Know what is meant by an ISMS;
  • Look at the context of the business to understand where information and cyber security risk will be positioned (scope);
  • Get to know what assets (those items of value to the business) are within scope,
  • Look for the relationship between the information assets and the many, and varied tools that are used within scope.
As a final thought; when reflecting upon the many and varied tools used within the business (think about: people; processes; IT systems, for a start) where are the 'weaknesses' or 'vulnerabilities' most likely to be found - the tools or, the information?
KanSecurity (NL)

Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

Risk and micro, small business

-
Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause
Read more