Mon Sep 29 18:52:10 PDT 2014

TechArch: Inventory: What information protection-related inventory is kept and in what form(s)?


Options:

Inventory of {Hardware, Software, Content, People, Uses, Linkages} is used for {business understanding, modeling, analysis, simulation, risk management, organizational purposes, measure coverage and completeness, control architecture linkage} and is {up to date, accurate, granular} to the required level - using a {unified database, combination of databases, set of disparate repositories, information in peoples' heads}


Basis:

Hardware: Devices that are physical in nature - computers, papers, bookshelves, wires, wiring closets, buildings, etc.

Software: Computer programs of all sorts, particularly those that are licensed or have other potential legal restrictions.

Content: The things that have utility that is protected by the information protection program.

People: Human beings, including corporate persons and other entities with identities.

Uses: The application of content for a business purpose.

Linkages: Interdependencies between inventory items.

Business understanding: the ability to make meaningful decisions is based on understanding how the business works and how information supports those business functions.

Modeling: imperfect representations of things in inventory for a purpose.

Analysis: mathematical, algorithmic, or other systematic approaches to applying the inventory to meet business needs.

Simulation: analytical methods applied to models to predict outcomes based on situations.

Risk management: the business function used to make decisions about risk acceptance, transfer, mitigation, or avoidance.

Organizational purposes: identifying individuals or functions, communicating and cooperating, structuring activities, or associating ownership or other duties.

Measure coverage and completeness: measurement of a defined subset against the whole set of inventory items.

Control architecture linkage: connections of inventory items and mechanisms to the control architecture and its model of protection.

Up to date: within parameters of interest, accurate as to reflection of reality within a recency limit.

Accurate: precisely reflective of reality to within defined precision levels.

Granular: at a level of detail and precision appropriate to the need. Typically, low granularity is to the group of systems, type of operating environment, content type, organization, area of business, and general requirements; medium granularity is to the system, operating system and version, file, database, and smallest group level within an organization; and high granularity is to the subsystem, set of software present, record and field within record, individual human, specific transaction, and detailed interdependencies with associated detailed requirements, such as time, location, etc.

Unified database: a single database.

Combination of databases: a combination of databases that are federated or otherwise unified so as to act as one.

Set of disparate repositories: a set of databases or other repositories not otherwise unified.

Information in peoples' heads: things that people know and remember.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved