March 29 - NZ lockdown day 4 of N

Yesterday I wrote about exploiting/making the most of opportunities that arise in a crisis. Here's an example - using COVID-19 as an analogy to help explain a concept.

A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ...

Primary assets (business processes and activities, information) … usually the core processes and information of the activity in the scope” [ISO/IEC 27005:2018 section B.1.2] are the focal point: that’s what we need to protect. However, in order to do that, we also need to take care of other matters, including the supporting/enabling information systems, networks etc. Those have some intrinsic value (e.g. used but now redundant servers can be upgraded, redeployed, sold or scrapped) but their main value relates to their roles in relation to the primary assets.

A topical analogy is “health” – an asset we all need to protect. For virtually everyone, it’s clearly primary - #1, The Most Important Thing Of All. There are many threats to our health (not just coronavirus!) and we have many vulnerabilities (e.g. we need to breathe, we have mucosa, we need to interact with the world around us to gather essential supplies …), while the impacts of health incidents are many and varied (from ‘feeling a bit off colour’ to death). We can’t directly protect “health” (which is intangible and cloudy), but we can work on various related aspects that, in turn, support good health – like for instance staying out of range of coronavirus and flu sufferers coughing and sneezing; staying well nourished; exercising to maintain physical fitness; thinking about hard stuff like this to maintain mental agility; being vigilant for the symptoms of poor or deteriorating health; having the health services, docs, drugs, respirators etc. to increase our ability to survive disease etc. In infosec terms, that’s a blend of preventive, detective and corrective controls designed to protect our continued integrity and availability 😊

Figuring out and managing health risks is complex, multifaceted and dynamic. There are some things we can’t control at all (e.g. we’re all getting older!) and many that we can only partially control. The controls come with costs and drawbacks, different implications, different effectiveness and benefits. Implementing and using certain controls precludes others and may even increase the risks in other areas (e.g. “Going shopping” is allegedly soothing for some shopaholics but means interacting with the Great Unwashed). The controls have physical and behavioural aspects. There are tools and techniques, individual and societal. There are assurance aspects (“I take vitamin supplements: am I fitter/healthier or just poorer? What about these fish oils and ‘high potency’ vits?”) and snake-oil to be wary of (homeopathy, anyone? Magic crystals? Dancing naked around the standing stones as we sacrifice a goat?).

It’s the same with information risks, right? Hey, we even have computer viruses to worry about! However we have been looking after our health for millennia all the way back to the primordial soup, whereas infosec - and more pertinently information risk management - is relatively new, rough around the edges.