InfoSecMinds

For like-minded people

Archive for category Information Security Risk Assessment

Classification and labeling – A double edged sword?

May 5

Posted by Vinod Puthuseeri in Information Security, Information Security Risk Assessment | No Comments

I use a public transport to commute between office and home. Recently, I had one gentleman sitting next to me reading a document. I just peeped into the document and all I could instantly read is the document name and it was labeled as “Confidential”.

Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Read the rest of this entry »

Tags: , , , ,

Assessing C-I-A values.

Dec 23

Posted by Vinod Puthuseeri in CIA Triad, Information Security Risk Assessment, Information Security Risk Management, Risk Assessment | 1 Comment

It is a common discussion during an information security risk assessment exercise at most of the organizations. As a general practice the asset value is derived by weighing the confidentiality ©, Integrity (I) and availability (A) value of an asset. While the assets are categorized into Information, Hardware, Software, Service and People, my argument always has been to say that C-I-A values can be assessed for Information Assets only and for all other it should just be the availability value.

Read the rest of this entry »

Tags: , , ,

Parkerian Hexad

Aug 16

Posted by Vinod Puthuseeri in CIA Triad, ISMS, ISO 27001:2005, Information Security, Information Security Risk Assessment, Information Security Risk Management, Risk Assessment | 2 Comments

The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker, renowned security consultant and writer. The term was coined by M. E. Kabay. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

The Parkerian Hexad attributes are the following:

  • Confidentiality
  • Possession or Control
  • Integrity
  • Authenticity
  • Availability
  • Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Read the rest of this entry »

Tags: ,

CISF Security at Infosys

Jul 31

Posted by Vinod Puthuseeri in Information Security, Information Security Management System, Information Security Risk Assessment, Information Security Risk Management, Physical Security, Risk Assessment | 2 Comments

In the recent news Infosys becomes the first private company to get CISF security. I have also been reading in yet another blog about a organization conducting mocks drills for terrorist’s attacks. It is quite interesting to see that organizations are now taking security as a prime concern. As mentioned in my previous blog about frisking of VIP’s at airports, the exception mentioned there is an age old rule that was implemented when terrorism was a not major concern.

Read the rest of this entry »

Tags: , , , ,

Service Asset – A Requirement or Duplication

Jul 5

Posted by Vinod Puthuseeri in ISMS, ISO 27001:2005, Information Security Risk Assessment, Risk Assessment | 2 Comments

It just came up recently while discussing with one of my friend, the need for capturing service assets as a part of asset inventory which will be used further for risk assessment exercise.

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

  • Information Asset – deals with electronic and paper based data
  • Hardware Asset – includes all your hardware, cupboards, safe, etc
  • Software Asset – includes all software’s used or implemented in the organization.
  • Service Asset – services that a department avails from the organization
  • People Asset – talks about people / employees

 Now the discussion went like this:

Read the rest of this entry »

Tags: , ,