All.Net

Fri Apr 8 06:51:39 PDT 2016

TechArch: Inventory: What information protection-related inventory is kept and in what form(s)?

Options:

Inventory of {Hardware, Software, Content, People, Uses, Linkages} is used for {business understanding, modeling, analysis, simulation, risk management, organizational purposes, measure coverage and completeness, control architecture linkage} and is {up to date, accurate, granular} to the required level - using a {unified database, combination of databases, set of disparate repositories, information in peoples' heads}

Decision:

Risk	Maturity	of what	used for	properties	kept in	comments
High	Managed+	Hardware, Software, Content, People, Uses, Linkages	business understanding, modeling, analysis, simulation, risk management, organizational purposes, measure coverage and completeness, control architecture linkage	up to date at the transactional level, accurate to the measurement capacity, granular at maximum granularity	unified database, combination of databases, or set of disparate repositories depending on risk aggregation limits	-
High	Defined-	non-defined things	whatever desired	ad-hoc	peoples' heads	Unsafe - increase maturity level
Medium	Managed+	Hardware, Software, Content, People, Uses, Linkages	business understanding, modeling, analysis, risk management, organizational purposes, measure coverage and completeness, control architecture linkage	up to date at management rate, accurate at level of granularity, at medium granularity	unified database, or combination of databases	-
Medium	Repeatable or Defined	Hardware, Software, Content, People	analysis, risk management, organizational purposes	sporadically up to date , reasonably accurate, at medium granularity	set of disparate repositories, and information in peoples' heads	-
Medium	Initial-	non-defined things	whatever desired	ad-hoc	peoples' heads	Unsafe - increase maturity level
Low	Repeatable+	Hardware, Software, People	organizational purposes	reasonably up to date and accurate at low granularity	a set of disparate repositories or peoples' heads	-
Low	Initial-	non-defined things	whatever desired	ad-hoc	peoples' heads	-

What security-related inventory is kept and in what forms?

Basis:

Hardware: Devices that are physical in nature - computers, papers, bookshelves, wires, wiring closets, buildings, etc.

Software: Computer programs of all sorts, particularly those that are licensed or have other potential legal restrictions.

Content: The things that have utility that is protected by the information protection program.

People: Human beings, including corporate persons and other entities with identities.

Uses: The application of content for a business purpose.

Linkages: Interdependencies between inventory items.

Business understanding: the ability to make meaningful decisions is based on understanding how the business works and how information supports those business functions.

Modeling: imperfect representations of things in inventory for a purpose.

Analysis: mathematical, algorithmic, or other systematic approaches to applying the inventory to meet business needs.

Simulation: analytical methods applied to models to predict outcomes based on situations.

Risk management: the business function used to make decisions about risk acceptance, transfer, mitigation, or avoidance.

Organizational purposes: identifying individuals or functions, communicating and cooperating, structuring activities, or associating ownership or other duties.

Measure coverage and completeness: measurement of a defined subset against the whole set of inventory items.

Control architecture linkage: connections of inventory items and mechanisms to the control architecture and its model of protection.

Up to date: within parameters of interest, accurate as to reflection of reality within a recency limit.

Accurate: precisely reflective of reality to within defined precision levels.

Granular: at a level of detail and precision appropriate to the need. Typically, low granularity is to the group of systems, type of operating environment, content type, organization, area of business, and general requirements; medium granularity is to the system, operating system and version, file, database, and smallest group level within an organization; and high granularity is to the subsystem, set of software present, record and field within record, individual human, specific transaction, and detailed interdependencies with associated detailed requirements, such as time, location, etc.

Unified database: a single database.

Combination of databases: a combination of databases that are federated or otherwise unified so as to act as one.

Set of disparate repositories: a set of databases or other repositories not otherwise unified.

Information in peoples' heads: things that people know and remember.