Image an attacker wants to get hold of data or information that constitutes critical information for your organization. A determined, skilled attacker will search for the most efficient way to accomplish this, which will make him or her evaluate three general paths:
- An IT based attack path using tools to break into your system from outside/inside or through a mixture of both
- A physical attack path by e.g. simply stealing a computer
- An attack based on the human character by bribing or threatening someone.
The attacker may choose to follow a strategic approach including actions from all of these spheres or just choose an attack method from only one sphere, because he doesn’t know any from the other attack paths or apply a mixture of measures chosen from these paths.
These paths will constitute a way of attack through three spheres that can be thought of as protecting information and data like the layers of an onion protect the seed. In this metaphor it must be noted that the protective layers are actually split into three different groups which are not equally thick (thickness indicating the number of measures an attacker needs to subvert): the human sphere, the technology sphere and the physical sphere. These spheres have aspects linking them and distinct aspects that can be derived from the individual layers of the spheres:
- Technology: Policies, network level threats and measures, operating system level measures, measures on the platform level of databases, measures and threats within database applications and other applications
- Physical: physical policies, site characteristics in regard to power, electricity, air conditioning and access
- Human: Policies, corporate culture and personal ethics
These spheres are connected by processes that establish interactions between the spheres as at the end of the days all measures within the spheres are defined, implemented and operated by humans.
When thinking of implementing an ISMS, considering these spheres will help you to define individual measures while safeguarding the big picture in the context of effectiveness and efficiency of the ISMS as the process of establishing a well-oiled ISMS and the later ISMS itself must make use of all of these spheres to mitigate the risks in your risk profile.
Do not underestimate that your technologies need to be reliable, your sites need to be burglar-proof and your humans need to care about and for your assets. Implement the first with verve, the second with attention to detail and the third as well as the processes with wisdom.
The author welcomes comments, opinions or challenges to the views expressed. Please send these to firstname.lastname@example.org