We debated GRC a bit. What is it exactly? We debated our current offerings a bit. Are they still relevant and why do companies keep failing at the same things over and over? Eventually we came to the core question. What is the purpose of security in the modern enterprise. Why should anyone care about security at all?
The discussion ended up sparking the following:
Q: What is the core currency of security as we refer to it? What is the key asset that we are concerned with?
Information. We are concerned with all elements or systems that create, process, transmit, store, or consume information. We also understand that all information is not equally valuable.
Q: What are the key criteria to determining the value of information?
Actionable. Can the information directly lead to decisions or actions? The closer the information is to readily triggering an action, the more valuable. There may also be a concept of potential here. Particular bits of information may be unprocessed, and like ore turns to metals turns to tools, you may consider some unprocessed information more valuable based on its potential to drive decisions or actions.
Accurate. How well does the information you have represent the system you are making decisions about? We can also refer to this as internal or external integrity, depending on whether or not the information concerns a system outside of your own.
Timely. How close is the information being consumed relative to the time it would take to make a decision and execute. Answering this question will likely create one or more windows or ranges that represent varying value. If the information is about a decision in the distant future, it may be nearly useless. If it comes so close to an event you can take no action, it is equally useless. Interestingly, nearly all information about events in the past contains some value if it can be trended and correlated with events and outcomes.
Proprietary. How widely known is the information? The value that comes from information being proprietary is derived from the advantage any possible decisions or actions can have over other actors. Even if the information is completely exclusive, if it provides no advantage it is of limited value.
Q: How do these attributes relate to work that needs to be done?
The actions related to information; creation, processing, transmitting, storing, and consuming; all impact one or more attributes. The systems used to perform these actions become the concern of information security specialists. Specifically, identifying key criteria for the confidentiality, integrity, and availability of these systems.
Q: Is there a single framework or mapping that can overlay these concepts onto an organization?
Currently, no. In fact, there likely isn't going to be one in the future either. This is largely due to the specific requirements of individual organizations. Each business treats their information in a somewhat specialized manner. They perform unique operations on unique bits of data. Because of these differences each organization will have different weights and tolerances related to attributes and systems related to their information.
Q: Can we at least begin to group enterprises together along commonalities?
Perhaps. The first attempt at this is listed below. The application to operations and practices is where work still needs to be done.
- Corporations: Primarily concerned with the internal and external integrity of their information. Corporations will rely largely on internally generated information or public information. In order to manage and adhere to regulations they need to be sure information about themselves is accurate. In order to determine appropriate actions they need to be able to have an accurate view of the world in which they operate.
- Intelligence Services: Sourcing seems to be a huge concern. While integrity is an issue, it seems to be most critical during the aggregation and correlation phases. Given the amount of information someone has to sift through to create a picture, which items the concentrate on and which they ignore is critical. Once an actionable work product is created, ensuring the proprietary nature of that work is key.
- Government Agencies: Each one seems to have unique needs. However, all of them need to ensure compliance with regulations. Unfortunately, regulations are derived from policy or law, and as such suffer from the issues of applying a lowest common denominator to all groups, or a once size fits all approach that does not create the maximum benefit for anyone.
No comments:
Post a Comment