6.2 Before the Workshop: Consolidate Information from Processes 1 to 3
Before you can analyze the information that you collected during processes 1 to 3, you need to organize it. Consolidating, or grouping, data provides information in a format you can easily read and understand. This section presents three activities in which the focus is grouping information from processes 1 to 3. These activities do not require decision making and can be carried out by one team member or performed incrementally at the end of processes 2 and 3. They can also be automated.
When you consolidate data from processes 1 to 3, you need to represent the data as originally recorded. You shouldn't paraphrase, edit, or interject opinions into the data as you consolidate them. This preserves the integrity of the data for all later analysis tasks.
This section presents the following data consolidation activities:
Group Assets by Organizational Level
In this activity you group the assets from processes 1 to 3 according to the organizational level that identified them. For each organizational level you document the following:
Let's look at consolidated asset information in the context of our example. Figure 6-5 shows part of the consolidated list of important assets identified by the operational area managers at MedSite.
Group Security Requirements by Organizational Level and Asset
The security requirements identified during processes 1 to 3 are grouped according to the organizational level that identified them and according to asset. Since more than one workshop group might have selected an asset as important, you can have more than one set of security requirements per asset. When you record security requirements information, make sure that you also indicate the security requirement(s) each workshop group considered most important.
Let's look at how the analysis team at MedSite consolidated security requirements information. Figure 6-6 shows the security requirements for PIDS. Notice that senior managers and staff considered availability to be the most important security requirement, while the operational area managers viewed all requirements as equally important. The words that were recorded during the knowledge elicitation workshops are included on the worksheet. Remember that you want to document all information in the words of the participants in order to help you resolve conflicts in viewpoints. There are no PIDS security requirements recorded for the information technology staff, because PIDS was not selected as an important asset during their workshop in process 3.
Group Areas of Concern and Impact by Organizational Level and Asset
In the final consolidation activity you group the areas of concern identified during processes 1 to 3 according to the organizational level that identified them and according to asset. Remember also to record any information about the resulting impact to the organization if it was identified. The consolidated information helps highlight any conflicts or similarities.
Figure 6-7 shows areas of concern for PIDS identified by the operational area managers at MedSite. Notice that the third area of concern does not have an associated impact. During the workshop, this impact was not discussed, nor did the analysis team actively pursue the information. As you consolidate information, you will often find that the information is incomplete in places. Part of your job during the process 4 workshop is to fill in these blanks as best as you can.
This completes the consolidation activities. Next, we move to the process 4 workshop, starting with the selection of your organization's most critical assets.