Skip to main content

Did i miss to assetize Virtual Machines !

Auditee : Hi There ! Welcome, What would you like to have? Tea or Coffee?
Auditor: Asset Register !

A comprehensive Asset Register is something which is quintessential for any risk management program. Everything that has to do with risk, follows from here. Information Security Risks are no different that any other type of risks. Having a few people (rarely security pro) building asset register will probably mess up any risk management at the very first stage. It has been seen that people generally miss to address technologically advanced assets (The ones they did not understand a few years ago)  to register in their asset inventory. The most obvious are the virtual machines.

 Every day ,Virtual Machines (VM) are being created on the fly as per business requirement, many of them persist for years and many not so much. There are many questions  like: if that particular VM is of some value? Do I need to consider it as valuable at this point of time, when I have nothing in it? What if my organization is in a business to create and destroy hundreds of VMs  every single day, What should i do then? All these and many more unanswered questions might become overwhelming sometimes. This is because there is no one right answer for all these.

Many believe that this issue has come up due to  scarcity of competent resources who can understand the complexity of such so called "trivial activities". Now a days, security pros are paying more attention to activities that are more popular (about which people are talking/tweeting on internet). It has become a forgotten truth that doing one activity nearly perfect, and the other not even to acceptable levels, will create havoc.

Information security risk management have been constantly looked as a basis before investing/deploying any control at all mature organizations. Every single activity in risk management has the capacity to create a deep and embarrassing repercussions later. It has been recommended by the leaders to put a considerable amount of energy/attention in all of the activities rather than the few we fantasize about. Let it not become faux pas for your organization later!

Comments

Post a Comment

Popular posts from this blog

What board of management want to see in your slides?

"It might sound like a hate speech but believe me Top Management doesn't care about security, disaster recovery, compliance, project management and a lots of other domains that you fantasize about. The Board only care about RISK ."    National Association of Corporate Directors was founded in 1977 with the goal to educate directors. What they are telling boards can be understood as what board really need you to put up in slides. Board want you to:- Talk about Enterprise-wide risk management issue rather than just IT issue. Talk about legal implication of cyber risk as they relate to their company's specific circumstances. Talk about risk avoidance, acceptance, and transfer. They basically have interest in knowing how much risk are we taking as compared to others and your confidence factor in your analysis. They want some metrics to make some references. Also, the Board want your security metrics to be thorough and should represent your entire landscape...
Post a Comment
Read more

Hustle and Tussle of Vendor Risk Management

There is no doubt that we humans would have never reached this world of connected Cars, 3d printing and Space travel without trading on each other's resources . We traded what we had for the things we didn't! The world has never been as interdependent as it is right now. This is true for us as an individual and certainly for organizations across geographies. The word "outsourcing" started getting traction in around 90s, but even before that organizations were heavily using it to reduce cost and allow themselves to focus of their core business area. Family owned businesses initially outsourced a small part of their work within their circle of friend and family considering the trust factor, but as the corporation grew and the economy went global , organizations started delegating part of their work to people living on the other side of the globe. Slowly and steadily organizations have reached to a state where they don't even know who their supplier is! The trus...
Post a Comment
Read more