A common challenge of organizations is defining what is valuable to their business. What is valuable then could be defined and then the risks determined. The classic risk management process would (not) conclude with deploying safeguards and practices to minimize the impact of any event related to this data, but also extend to a commitment of reassessment and reconfiguration / shifting of safeguards and position.
To be specific: Valuable to an organization may be the root password to their latest and greatest appliance. The need would be identified by technology and business leaders that protecting this code extends their ability to remain competitive. The release of such key lowers said risk, especially as in many cases one insight leads into other insights quite rapidly. This was shown clearly by the re-tweeting of a PS3 representative that included the master key for the PS3. Here is an article explaining it very plainly. The individual tweeting it, did not know it was sensitive or its meaning. This highlights a critical point in this model whereby the whole structure relies upon the first premise – defining what is valuable.
Envision a pyramid… the top is the what is valuable to an organization, and layer by layer down the pyramid you have the traditional risk management process. (This may be ISO 27001, OCTAVE, or others…) The point being that as the pyramid is built there are safeguards, cost, management participation, and deployments, re-configurations, and such continuously…ALL based on the single assumption of the value being known.
Now take that pyramid and flip it over. The challenge becomes clear – the first assumption is now holding the entire program up. I love this analogy because it highlights to everyone the importance and critical need to properly identify what is valuable information and then communicating and safeguarding it properly.
- Valuable information should be considered at an abstract level first, and then the formats and channels of communication approached. Meaning – first decide if X product component is valuable. If so… what formats does it exist: paper, electronic, physical prototype
- The safeguards must consider each representation equally and evenly to ensure that the valuable items are protected. Otherwise as has been proven time and again, the weakest link will be exploited.
- Training – well a common and near constant safeguard should include the various forms and NOT be abstract to the participants, but instead be reflective of their interaction with the type of data
- Understand the life cycle value of the “valuable” item. Meaning at one point the data is tremendously valuable and senior leadership is involved in protecting it (capex etc).. as time progresses the forms of the valuable item become a commodity. For instance, if you are protecting a device… the moment it is shipped the prototype is less valuable and therefore would require less protections. The safeguards and risk program must consider the ‘half-life’ of the property
There are many aspects of a risk program, but the linchpin starts and ends at defining what is valuable. The tweet referenced above and below is a single representation of this fact.
See you at RSA SFO 2011!!