One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495733 |
| Date de publication | 2019-12-22 13:14:31 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Dec 22 - zero-based risk assessment |
| Texte |  In a thread on the ISO27k Forum, Ed Hodgson said:"There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy and illegible. But I don't tend to include the risk of papers getting damaged by rain in my risk assessment".Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS? That question took me back to the origins of ISO27k, pre-BS7799 even. As I recall, Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for additional controls where the baseline controls are insufficient to mitigate the risks. [I'm hazy on the details now: that was ~30 years ago after all.]I have previous used and still have a soft-spot for the baseline concept … and yet it's no easier to define a generic baseline today than it was way back then. In deciding how to go about information risk analysis, should we:Go right back to basics and assume there are no controls at |
| Envoyé | Oui |
| Condensat | in donn ed i that unfortunately 27002 about acceptable accountability add address after ago all already analysis any applicable approach are area assessing assessment assume assured axioms back based baseline baseline/incremental baselines basic basics bedrock better brain bs7799 building but bypass call challenging circle clarifying cold common/universal commonplace comprising concept consider controls controls: could current damaged dec deciding define defining details don each easier effectiveness effort engrossed ensure even existing focusing for additional forum foundation foundational full fundamental general generally generic get getting gives hard has have hazy heavily help helps hodgson how hundreds idea identify ignore illegible implemented implementing implications include incremental information insufficient isms iso/iec iso/iec27002 iso27k just justification laying level like likely look make manage many maybe metrics might mind mitigate monitoring more nblog need normally not now: objectives occasionally one ones opportunity originally origins other ought out oversight papers parker particular point power practice pre presume;compromise: presuming previous principles probably project providing question took quicker rain rather really recall reconsider reliability reliant relies reorganizing responsibility review revision rewriting right risk risks role roof routinely said: saving security set should simply soft soggy solid spot standard standards such suggest suggested suggestion supra take takes tease tedious tend testing than them then things thinking those thread through time today today;ignore too trivial trustworthiness typical upon: use used want way ways we:go wet what when where whether which write years yet zero ~30 “key” |
| Tags | |
| Stories | APT 17 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.