5. Criteria of excellence
5.2 Excellence criteria with predecessors
5.2.3 Asset handling excellence criteria
The informal use of the notion "asset" is intentional throughout the whole discussion. Asset risk has been defined, and it dealt with such possible attributes of an asset, as its strategic / business value, or its vulnerablity, for example. In this dissertation we take asset, as an already existing resource / property of the institution, or as such a resource / property, that is "under construction".
I do not think, that we would need any punctuation, or further clarification here, as the suggested improving ideas are completely understandable without dwelling on defining asset some pages long.
Using "asset" this way, information is a special asset. Usually, no matter, how important is to provide for information, this is not the only product, this is not the only marketable result
of corporate operations. Thus it is worth to investigate, if the asset handling excellence criteria have at all meaning beyond the scope of information?
Confidentiality, I think, could only be formally extended to other kind of assets, as always the information on the product, or on any kind of asset is the thing, it seems, which is to be handled confidentially.
However, generalized integrity, generalized availability seem to be able to "live" in the real life, too.
5.2.3.1 Confidentiality
"Confidentiality concerns the protection of sensitive information from unauthorised disclosure." [COBIT 4.1]
My proposal for the IT case:
The information is confidentially handled,
if those, and only those have access to it, who have job to do with it. [Szenes, 2011, Hack.]
Notes on the differences between the two definitions above:
"My" confidentiality - instead of being just a protection requirement - refers to the overall handling of the information. I think, that a proper handling of information should require much more, that "simply" protecting it.
As a first step, those employee have to be identified, who have anything to do with a certain information. This involves sizing up, assessing, and classifying the information, then creating organizational roles according to the results, from which the job descriptions can be built, and which will be the base of lots of such important, not only protecting, but order - serving activities, as the identity management, or access right management are, for example.
Thus I have no other proposal for describing confidential asset handling, then handling confidentially every information about it.
This requirement will trigger those conditions, that deal with the assets themselves.
5.2.3.2 Integrity
"Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations." [COBIT 4.1]
My proposal for the IT case:
The integrity of the information is preserved,
if its handling or processing does not change it inadvertently. [Szenes, 2011, Hack.]
Notes on the differences between the two definitions above:
To comply with the business' expectations suits better to another criterium, functionality. I think, that both accuracy and completeness relate also to the appropriate functionality of the information system. It can be noted, that both depend greatly on the adequacy of systems analysis.
I prefer to use the everyday meaning of integrity, which is: keeping intact those data, that are not operandi in an operation. This way this important requirement will be independent from the criteria.
Besides, binding this feature explicitly to the processing I hope, that the PCUBE-SEC users will not mix it with confidentiality, which is a frequent mistake.
The generalization is again very simple.
My proposal for describing such an asset handling, that satisfies criterium integrity:
The integrity of an asset is said to be preserved,
if its handling or processing does not change it inadvertently.
5.2.3.3 Availability
"Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities." [COBIT 4.1]
Compared to my already published definition [Szenes, 2011, Hack.], I have here a more exact
proposal for the IT case:
Availability of the information means, that if it concerns a given matter,
then
it is available to every competent employee, who is competent in this matter, in a planned, predictable, and documented way
according to the preliminary agreements on its availability.
Note 1:
The agreements can, and - if possible, have to - rule, first of all, to a measurable extent, the predictability of the availability. Other issues to be settled are, for example, the way of access, or the time interval for which the information is available.
Note 2:
This "competence" here above belongs actually to the domain of confidentiality, this is again an example of the dependence of some of the criteria on each other.
Notes on the differences between the two definitions above:
The explicit defense requirement "safeguarding" suits much better to, and is contained in confidentiality.
The importance of the requirements, that I added, are self-explanatory.
Extending availability to operations from information, it is worth to replace "measurable extent" with a set of "qualitative and quantitative prescriptions", that are relevant to the situation. Predictability can not be spared either. The predictions should be as exact and concrete, as possible.
My proposal for describing such an asset handling, that satisfies criterium availability:
Availability of an asset means, that if it has a role in a given matter, then
it is available to every competent employee, who is competent in this matter,
in a planned, predictable, and documented way, according to the preliminary agreements on its accessibility, that have to refer to every qualitative and quantitative prescription, that are relevant in the matter.
Finishing the description of my proposals, it is important to emphasize again, that the user of PCUBE-SEC can, and is able to redefine every criteria, described above.