One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 3512451 |
| Date de publication | 2021-10-14 17:20:00 (vue: 2021-10-14 05:05:15) |
| Titre | Topic-specific policy 3/11: asset management |
| Texte |  This piece is different to the others in this blog series. I'm seizing the opportunity to explain the thinking behind, and the steps involved in researching and drafting, an information security policy through a worked example. This is about the policy development process, more than the asset management policy per se. One reason is that, despite having written numerous policies on other topics in the same general area, we hadn't appreciated the value of an asset management policy, as such, even allowing for the ambiguous title of the example given in the current draft of ISO/IEC 27002:2022. The standard formally but (in my opinion) misleadingly defines asset as 'anything that has value to the organization', with an unhelpful note distinguishing primary from supporting assets. By literal substitution, 'anything that has value to the organization management' is the third example information security policy topic in section 5.1 ... but what does that actually mean?Hmmmm. Isn't it tautologous? Does anything not of value even require management? Is the final word in 'anything that has value to the organization management' a noun or verb i.e. does the policy concern the management of organizational assets, or is it about securing organizational assets that are valuable to its managers; or both, or something else entirely? Well, OK then, perhaps the standard is suggesting a policy on the information security aspects involved in managing information assets, by which I mean both the intangible information content and (as applicable) the physical storage media and processing/communications systems such as hard drives and computer networks?Seeking inspiration, Googling 'information security asset management policy' found me a policy by Sefton Council along those lines: with about 4 full pages of content, it covers security aspects of both the information content and IT systems, more specifically information ownership, valuation and acceptable use:1.2. Policy Statement The purpose of this policy is to achieve and maintain appropriate protection of organisational assets. It does this by ensuring that every information asset has an owner and that the nature and value of each asset is fully understood. It also ensures that the boundaries of acceptable use are clearly defined for anyone that has access to |
| Envoyé | Oui |
| Condensat | well asset at interesting is isn key one seen that treating using what 2008 27001 27002 27002:2022 3/11: a pack about acceptable access accessories accordingly achieve actively actually addressing adds adopting after against ahead aim albeit all allowing almost along already also also worthwhile although ambiguous among ancient angling annex another anyone anything applicable applying appreciate appreciated approach appropriate appropriately are area areas arguably arrangements aside: aspect: aspects asset assets assets:filing associated assurance attention audience auditors authorisation authorisers authorizers avoid axioms balancing based basis bear behind being believing beyond blithely blog blundering both boundaries brand ignoring break briefly brings bullet business busy but cabinets calls can cataloguing cause cell change chunk circular clarify classification which clearly closer cloud coherent column combined commercial commonly communications competent compliance comply comprehensive computer concern concerning condensing consideration: considered considering consistent constructing containing content context continue control controls conventional core corporate corporate/business costs could council council along couple coverage covering covering information covers cradle crafting cross cue current customisation data databasesdata dated day defined defines design despite destination details determines develop developer developing development development investing development process diagram differ different directly disposal disregard distinct distinguishing distracted does don done down draft drafting drives during each easily effective efficient eight else emphasis emphasizing end energy engagement enough ensures ensuring entire entirely equipment especially essentials etc even every example examples existing expanding expected experience expertise explain explained exploit exploitation feedback files final find fine fire first fixated focused focuses folderssoftware forest form formal formality format forms forth found from full fully gamut general generally generate given giving glimpse goes good googling governance grave guidance guidelines hadn hard harder has have having head helps here high highly hmmmm honest hopefully how however idly implement implementers important impressed inappropriate include including inconsiderable increases increasing indication individually inevitably information inspiration instance:engaging institute intangible integrated intellectual intended interacting inventory involved isms iso/iec issues its just keen keeping key know knowledge lamar leads least legitimate less licensesphysical life lifecycles lightweight like lines: linking listed listing literal little looks lost maintain maintaining make management managers managers; managing information mandate map markedly mass matrix matter matters maturation maximise maximising maybe me a mean means meant media mind minimise misleading misleadingly mistakenly misunderstand modern more much naturally nature need needed needs neglected net networks never not note notice noun now numerous objective objectives obvious obvious: of iso/iec offers one ones only opinion opportunity opposed order organisation organisational organization organizational other others out overtly own owner ownership pages paper part particular particularly passion pdas people peopleintangible per perhaps perspective perspectives phase phones physical picture piece plan plus plus reviewers point points: policies policies: policy possibly practice pragmatically preamble/introduction preferred price primary principle privacy probably problematic process process: processing/communications producing product professional project prompting property protect protection publish purchasing purpose purposes quality questions quick quite rather read readability reader readers reading reason reasonable recognises records records |
| Tags | Tool Guideline |
| Stories | APT 17 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.