One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 4451281 |
| Date de publication | 2022-04-15 09:09:24 (vue: 2022-04-14 22:06:19) |
| Titre | Value-based infosec |
| Texte |  This week in an ISO27k Forum thread about selecting information security controls from ISO/IEC 27002, Ross told us "cost is always A factor, however more accurately, the "Cost-Benefit Ratio" may become a deciding factor. A general principle is that the cost of implementing a risk treatment should never exceed the value of the asset being protected. Determining the 'value' of the 'asset' might be tricky (eg. impact to brand value when considering consequential reputational risk), however someone within an organisation often has an existing view on this value."Clearly security controls should save more than they cost, hence in theory organisations should only invest in, operate and maintain controls that are valuable ... but in reality, value-based information risk and security management is far from straightforward.For starters, we have no choice with some controls: even in a greenfield situation such as a high-tech startup, the very act of designing and building the company depends on a raft of governance and managment controlsNext consider the costs. Controls have lifecycles incurring costs at every stage, starting even before we develop or procure them since someone has to determine the requirements, then specify and search for solutions, then implement and configure them. Once operational, there are costs associated with using controls, plus generally they need to be monitored, managed and maintained, and perhaps eventually retired or replaced. Being tricky to measure, it is tempting to ignore these costs, lumping them in with all the other costs of doing business ... which may explain the failure of some kinds of control. Complex controls require significant care and attention to keep them operating efficiently and effectively. Thirdly, consider the benefits. Information security controls rarely eliminate information risks: usually, the best we can hope for is partial mitigation - reducing the probability and/or impact of certain types of incident - and even that is uncertain without associated controls such as monitoring, compliance and assurance. What is the $ value of reducing information risks? If a given control had not been selected and put into operation, how costly would any corresponding incidents |
| Envoyé | Oui |
| Condensat | although security this 27002 about above academic accurately act activities actually address advantage advice affecting afforded ahead all almost alone already also alternative alternatives always analysing analysis analytical and/or another any anyway approach approaches architecture are argued aside assess asset associated assurance attempt attempting attention attractive based become been before being benefit benefits best better beyond blabbering blog blue brand brands budgets building business but can cannot capabilities capacity cards care causing certain challenging changing choice circumstances clearly clients cobit come comes commend company compared competent competing complementary complete complex complexities compliance concept configure consequential consider considered considering constantly construct content contribute control controls controls: controlsnext corresponding cost costly costs could create creates deciding decision defence depends depth describing designing despite destabilise determine determining develop direct does doing don dormant due duration dynamic dynamics easy effectively efficiently efforts eliminate engineering enough entire even eventually every evidently exceed existing experienced expert explain exploited extent factor factor: failure failures fairly far field fifthly figure finally finite focused foresight formally forum forward fourthly framework free from fun function general generally given governance greenfield guidance had hand happen hard has have healthy hence herd here high hindsight hope house how however identify ignore impact impacts imperfect implement implementing imposed incident incidents including incomplete increase incurring independently individual individuals ineffective inefficient inevitable information infosec inherently instance intellectual intended interdependencies invest involves iso/iec iso27k its itself just justifiable keep kinds knowledge lame large layers leading least let lifecycles like limited lives long low lumping maintain maintained make making manage managed management managment manner many market may means measure media mesh methodical methods: might mind:the missing mitigate mitigating mitigation models monitor monitored monitoring more most mostly much multiple musings need net never next not nothing obligations occurs often once one only operate operating operation operational optimal option organisation organisations other others ours out overlapping partial parties perhaps plus point pointing poke possibilities practice pressures prevented principle priorities privacy probability problem process procure products professional profit promoting property protected protection put quantify quick raft rarely rather ratio rational reality recommendations recommended reducing reflection regardless relationships relies remain replaced reputational reputations require required requirements resources retired ripple risk risks risks: ross run save search security seeking selected selecting sense shortcut should significant simply since sit situation skies slack social society solutions some someone sp800 specialists specific specify spring stage standalone standards starters starting startup staying straightforward structured stuff such sure system systematic tailored take tech tempting tenure than that them then theoretical theory these thing things thinking third thirdly though thread threats told toppling totally treatment tricky trumped types typical ultimately uncertain under universe unrecognised until/unless using usually valuable value various very view virtually vulnerabilities way ways weak website week weekend well what when which whole within without words would yet your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.