Sat Aug 30 13:01:55 PDT 2014

TechArch: Inventory: What protection-related inventory should be kept and in what form(s)?


Options:

Inventory of {Hardware, Software, Content, People, Uses, Linkages} is used for {business understanding, modeling, analysis, simulation, risk management, organizational purposes, measure coverage and completeness, control architecture linkage} and is {up to date, accurate, granular} to the required level - using a {unified database, combination of databases, set of disparate repositories, information in peoples' heads}


Decisions:

Risk Maturity of what used for properties kept in comments
High Managed+ Hardware, Software, Content, People, Uses, Linkages business understanding, modeling, analysis, simulation, risk management, organizational purposes, measure coverage and completeness, control architecture linkage up to date at the transactional level, accurate to the measurement capacity, granular at maximum granularity unified database, combination of databases, or set of disparate repositories depending on risk aggregation limits -
High Defined- non-defined things whatever desired ad-hoc peoples' heads Unsafe - increase maturity level
Medium Managed+ Hardware, Software, Content, People, Uses, Linkages business understanding, modeling, analysis, risk management, organizational purposes, measure coverage and completeness, control architecture linkage up to date at management rate, accurate at level of granularity, at medium granularity unified database, or combination of databases -
Medium Repeatable or Defined Hardware, Software, Content, People analysis, risk management, organizational purposes sporadically up to date , reasonably accurate, at medium granularity set of disparate repositories, and information in peoples' heads -
Medium Initial- non-defined things whatever desired ad-hoc peoples' heads Unsafe - increase maturity level
Low Repeatable+ Hardware, Software, People organizational purposes reasonably up to date and accurate at low granularity a set of disparate repositories or peoples' heads -
Low Initial- non-defined things whatever desired ad-hoc peoples' heads -
What security-related inventory is kept and in what forms?

Basis:

Hardware: Devices that are physical in nature - computers, papers, bookshelves, wires, wiring closets, buildings, etc.

Software: Computer programs of all sorts, particularly those that are licensed or have other potential legal restrictions.

Content: The things that have utility that is protected by the information protection program.

People: Human beings, including corporate persons and other entities with identities.

Uses: The application of content for a business purpose.

Linkages: Interdependencies between inventory items.

Business understanding: the ability to make meaningful decisions is based on understanding how the business works and how information supports those business functions.

Modeling: imperfect representations of things in inventory for a purpose.

Analysis: mathematical, algorithmic, or other systematic approaches to applying the inventory to meet business needs.

Simulation: analytical methods applied to models to predict outcomes based on situations.

Risk management: the business function used to make decisions about risk acceptance, transfer, mitigation, or avoidance.

Organizational purposes: identifying individuals or functions, communicating and cooperating, structuring activities, or associating ownership or other duties.

Measure coverage and completeness: measurement of a defined subset against the whole set of inventory items.

Control architecture linkage: connections of inventory items and mechanisms to the control architecture and its model of protection.

Up to date: within parameters of interest, accurate as to reflection of reality within a recency limit.

Accurate: precisely reflective of reality to within defined precision levels.

Granular: at a level of detail and precision appropriate to the need. Typically, low granularity is to the group of systems, type of operating environment, content type, organization, area of business, and general requirements; medium granularity is to the system, operating system and version, file, database, and smallest group level within an organization; and high granularity is to the subsystem, set of software present, record and field within record, individual human, specific transaction, and detailed interdependencies with associated detailed requirements, such as time, location, etc.

Unified database: a single database.

Combination of databases: a combination of databases that are federated or otherwise unified so as to act as one.

Set of disparate repositories: a set of databases or other repositories not otherwise unified.

Information in peoples' heads: things that people know and remember.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved