Information Asset Management Part 1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Information Asset Management Part 1 as PDF for free.
More details
- Words: 2,395
- Pages: 7
Information Asset Management Part 1 – Identifying Information Assets
Steve Simpson CISSP
Identifying Information Assets
Introduction Why do any of us need security? When it comes right down to basics, we need security to protect assets. These assets may be in physical or logical form. The physical assets are to a certain extent, easy to identify and therefore relatively easy to protect. However, when it comes to logical or information assets, how many of us know the full extent of the assets that we have responsibility for? So without knowing what information assets we have, how can we expect to be able to secure or protect them? This document is designed to provide those persons with responsibilities for the security of information assets with a basic understanding of information assets and how they can be managed to the benefit of an organisation. Information assets are all around us we cannot run a business without them and if they get into the wrong hands they can do enormous amounts of damage. All organisations and establishments have information assets that are handled and communicated on a regular basis, and each organisation has an obligation to protect those assets. Would you do business with an organisation that did not offer at least some form of protection for the information regarding your relationship with them? When you deal with another company or organisation you pass on information assets, almost without realising it, Names, appointments, contact details and frequently, banking or payment details. All of these items are information assets and must be given a reasonable and appropriate degree of protection.
What is an Information Asset ‘An information asset is any piece of information in any form, that either provides a benefit to the organisation possessing it, and/or has a potentially damaging effect if revealed outside that organisation.’
Compliance By far the most effective way of promoting how serious you are about protecting information assets is through either certification or compliance with a national or international standard such as ISO27001. Declaring compliance or certification to such standards broadcasts an affirmation of your commitment to securing all information assets entrusted to you. However, before such compliance programmes can be considered, and in order for an organisation to consider protecting their assets, the full extent of those assets must be identified. Once identification has been completed and we understand fully the extent of the information that needs to be protected, we can look seriously at the threats posed to those assets. Only then can we accurately analyse the risks to these valuable pieces of information. Sounds really simple to state, but in practice the identification of all organisational information assets is often, far from easy to achieve. To complicate matters further, once an asset has been identified, both its quantity and value across the whole organisation is required. This difficult task is one that cannot be effectively completed by a single person alone. By far the most effective way to initially assess the scope of an organisations information assets is through a collaborative process which needs Page 2 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
to include representatives from each and every department within the organisation. Each department will have a different viewpoint on what information is available and what value should be placed on an asset. Each of these viewpoints needs to be considered in order to have the most holistic view possible when valuing the assets and analysing the risks to them. The process for identifying assets to the degree that the information gathered, can be used to develop an effective analysis of the risks posed to it, needs to be achieved in stages as follows:
Identify all information assets
Defining the asset groups
Assess the value and impact of an asset
Identification of threats to assets
Only when the risks to information assets have been assessed can a targeted security strategy be developed. Without the risk assessment, applying security is going to be a hit and miss affair which will not provide confidence in its application and will not be cost effective.
Identification of assets The usual conception in this technologically obsessed world is to automatically assume that all valuable information assets are those stored on the organisations ICT systems. The important point to note here is in the use of the term information asset, rather than referring to data. In reality this is only one of three broad groups of information assets that we need to establish.
Non-Computer based records
Computer (online) based records
Computer (offline) based records
Non-Computer based records The group most likely to be omitted without prompting by the review organiser is that of non-Computer based records. This asset group actually requires the most thought during the information gathering phase. Good old fashioned paper needs to be included in the gathering of asset information. An organisations paper based filing and archiving system is easily identified and the chances are that information within that filing system already has further categorisation included that will be of assistance in coming phases of this activity. It is also likely that they may have been considered as physical assets and may already be protected by some physical measures. However there are many other sources of non-computer based information within an organisational environment that are of equal and sometimes greater value. The following non-exhaustive list contains just a few examples of non-computer based records that would need to be considered when gathering information about an organisations assets: Network or system diagrams, system configuration documentation and other technical information sheets – These may be found on the walls of the engineers department or contained in tubes for ease of storage or just kept in the desk drawers in the engineering or IT departments. However the contents of these Page 3 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
documents and diagrams could be of immense value to a person wishing to find out more about an organisation or worse, wishing to damage that organisation. Admin assistant’s minute books or sheets – The minutes of meetings that have been noted down in note books or individual sheets are likely to contain information that senior management would not wish to leave the organisation. Consultant’s or engineer’s day books – Consultants, engineers, techys etc often carry day books in order for them to keep track of what instructions they have been given, technical details, notes from meetings and much, much more. This information is highly likely to provide an advantage to any would be attacker. Personnel – What about the in-depth knowledge that your skilled staff walk around with everyday locked in their heads. It’s not easy to manage but there are means of mitigating potential loss. A prime and typical example here is as follows: o
It is not uncommon for an organisation when having a new application or system installed to have only one member of staff trained by the vendor in this topic. This at first glance is an understandable cost saving for the organisation. That staff member returns from training and goes about his business configuring the application for optimal benefit to his organisation. The information he gained in training and then furthered in practice is an asset to the organisation. There is a risk associated that the staff member may become incapacitated or leave, and this would be likely to result in an immediate and measurable impact on the organisation.
Audio – Many executives now use portable audio devices to store information that they need to access at a later date. This information is likely to be of the utmost importance to the organisation and must be considered during this exercise. Also, do not overlook the recordings of telephone conversations which are frequently made ‘for training purposes’. Again this media may have very large amounts of valuable information.
Computer (online) based records The group of Computer (online) based records includes all the information that is stored in your live computer systems. This is the area that will be foremost on the minds of those responsible for identifying information assets. The difficulty here is ensuring that all online computer based records are included throughout the organisation. The obvious areas that need to be considered will include:
Central system file storage areas
Outsourced file storage areas
Central databases
Messaging information
Online archives
However, despite the obviousness of this broad asset group there are also areas that could easily be missed during the asset roundup and these include:
Information stored on standalone computers
Information stored on users desktop computers Page 4 of 7
Steve Simpson – Principal Consultant Infosec Plus Consulting
Information in non centrally stored databases
Information duplication
Information published on corporate websites
Computer (offline) based records The final broad asset group to consider is that of Computer (offline) based records. The most obvious examples of offline information assets are backup tapes or other media; these are a highly important asset to any organisation when considering their contribution to the business continuity or disaster recovery strategies. However it is for these same reasons that it is equally attractive to any potential attacker. Therefore it is essential that all backup media be accounted for within the asset gathering exercise. Another area of offline computer based records that has received a lot of press in recent years is the data that is stored on the hard disk drives of PC’s which are no longer in use, or on old hard disk drives removed during an upgrade operation. There have been far too many organisations embarrassed by having their sensitive and valuable information assets distributed externally when old computer equipment has been sold off or otherwise disposed of. What other offline information assets do we have? Writable magnetic and optical media has always been a concern to CIO’s in that it is so easy to remove information from an organisations premises. The current fear for CIOs and risk owners is that of thumb or pen drives. These flash memory devices are available anywhere and provide a very cheap means of storing large amounts of information assets. A quick surf of the net whilst writing this shows that flash memory drives are already available up to 64Gb. How many of your valuable information assets would fit onto a memory stick of that size? Pocket sized external hard drives with enormous capacities are easily available in the High Street. In addition to the potential for loss of data there have been some recent worrying adware/spyware attacks developed, that are being launched through the use of USB flash memory devices. On top of this, your Write Once Read Many (WORM) media items such as COTS software packages are also assets to the organisation that require a degree of protection. These too must be included when gathering information on the total quantity of an organisations information assets.
Conclusion At the end of your asset gathering exercise the chances are that you have now identified a list of assets that could be well in excess of twice that which was originally considered. However, this means that you should also have a much better idea of the range and quantity of the information assets that make your business run. From this knowledgeable standpoint you are in a much better position to take on the next stages of asset management which include assessing the value of the assets and identifying the threats to those assets. When these stages are complete you will be in an excellent position to perform an informed risk analysis of your assets. Without which, you are at the mercy of the advertisers and salesmen as to what security you need. With the risk assessment you can be assured that you are only paying for the security you need, not just the latest security fashion accessories.
Page 5 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Page intentionally blank
Page 6 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral information security business advisory services. Services include:
Data Loss Assessments – Data loss is a serious concern for all organisations. Many organisations each year never manage to recover from a security breach. Infosec Plus can provide you with assurance through a holistic review of your business policies, processes and procedures to establish where you may be susceptible to data loss allowing you to establish where you may be susceptible to dat loss allowing you to access the risks and apply targeted risk mitigation controls.
Holistic Security Review – A holistic review of your organisations information security including, technology, procedural, physical and personnel security measures.
Risk Assessment/Management – Assessing the risk from specific threats will give you the ability to apply the most efficient and cost effective security measures. The introduction of a risk management program can considerably reduce operational costs.
PCI Compliance Review – All organisations that store, process or transmit credit card information must comply with the Payment Card Industries Data Security Standard (PCI-DSS). Infosec Plus can guide you through this process and provide you with the information you need to gain and maintain compliance with this exacting standard.
Security Awareness – The single most effective way to reduce data loss and increase the security standing of your organisation is through the introduction of a security awareness program. Infosec Plus can guide you through the development of an awareness program and can provide one to one or one to many training sessions to get the security message across.
Network Access Control – All organisations need to protect their valuable business and personal data from the ever increasing need for system interconnectivity. Infosec Plus can guide you through the process for developing a Network Access Control policy that will allow day to day business continue in the safest possible manner.
Project Augmentation – If you are running or planning a project that needs to include security representation, Infosec Plus can provide a consultant to join your team providing expert security advice to ensure that the project provides the security that your business information assets require.
Page 7 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Steve Simpson CISSP
Identifying Information Assets
Introduction Why do any of us need security? When it comes right down to basics, we need security to protect assets. These assets may be in physical or logical form. The physical assets are to a certain extent, easy to identify and therefore relatively easy to protect. However, when it comes to logical or information assets, how many of us know the full extent of the assets that we have responsibility for? So without knowing what information assets we have, how can we expect to be able to secure or protect them? This document is designed to provide those persons with responsibilities for the security of information assets with a basic understanding of information assets and how they can be managed to the benefit of an organisation. Information assets are all around us we cannot run a business without them and if they get into the wrong hands they can do enormous amounts of damage. All organisations and establishments have information assets that are handled and communicated on a regular basis, and each organisation has an obligation to protect those assets. Would you do business with an organisation that did not offer at least some form of protection for the information regarding your relationship with them? When you deal with another company or organisation you pass on information assets, almost without realising it, Names, appointments, contact details and frequently, banking or payment details. All of these items are information assets and must be given a reasonable and appropriate degree of protection.
What is an Information Asset ‘An information asset is any piece of information in any form, that either provides a benefit to the organisation possessing it, and/or has a potentially damaging effect if revealed outside that organisation.’
Compliance By far the most effective way of promoting how serious you are about protecting information assets is through either certification or compliance with a national or international standard such as ISO27001. Declaring compliance or certification to such standards broadcasts an affirmation of your commitment to securing all information assets entrusted to you. However, before such compliance programmes can be considered, and in order for an organisation to consider protecting their assets, the full extent of those assets must be identified. Once identification has been completed and we understand fully the extent of the information that needs to be protected, we can look seriously at the threats posed to those assets. Only then can we accurately analyse the risks to these valuable pieces of information. Sounds really simple to state, but in practice the identification of all organisational information assets is often, far from easy to achieve. To complicate matters further, once an asset has been identified, both its quantity and value across the whole organisation is required. This difficult task is one that cannot be effectively completed by a single person alone. By far the most effective way to initially assess the scope of an organisations information assets is through a collaborative process which needs Page 2 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
to include representatives from each and every department within the organisation. Each department will have a different viewpoint on what information is available and what value should be placed on an asset. Each of these viewpoints needs to be considered in order to have the most holistic view possible when valuing the assets and analysing the risks to them. The process for identifying assets to the degree that the information gathered, can be used to develop an effective analysis of the risks posed to it, needs to be achieved in stages as follows:
Identify all information assets
Defining the asset groups
Assess the value and impact of an asset
Identification of threats to assets
Only when the risks to information assets have been assessed can a targeted security strategy be developed. Without the risk assessment, applying security is going to be a hit and miss affair which will not provide confidence in its application and will not be cost effective.
Identification of assets The usual conception in this technologically obsessed world is to automatically assume that all valuable information assets are those stored on the organisations ICT systems. The important point to note here is in the use of the term information asset, rather than referring to data. In reality this is only one of three broad groups of information assets that we need to establish.
Non-Computer based records
Computer (online) based records
Computer (offline) based records
Non-Computer based records The group most likely to be omitted without prompting by the review organiser is that of non-Computer based records. This asset group actually requires the most thought during the information gathering phase. Good old fashioned paper needs to be included in the gathering of asset information. An organisations paper based filing and archiving system is easily identified and the chances are that information within that filing system already has further categorisation included that will be of assistance in coming phases of this activity. It is also likely that they may have been considered as physical assets and may already be protected by some physical measures. However there are many other sources of non-computer based information within an organisational environment that are of equal and sometimes greater value. The following non-exhaustive list contains just a few examples of non-computer based records that would need to be considered when gathering information about an organisations assets: Network or system diagrams, system configuration documentation and other technical information sheets – These may be found on the walls of the engineers department or contained in tubes for ease of storage or just kept in the desk drawers in the engineering or IT departments. However the contents of these Page 3 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
documents and diagrams could be of immense value to a person wishing to find out more about an organisation or worse, wishing to damage that organisation. Admin assistant’s minute books or sheets – The minutes of meetings that have been noted down in note books or individual sheets are likely to contain information that senior management would not wish to leave the organisation. Consultant’s or engineer’s day books – Consultants, engineers, techys etc often carry day books in order for them to keep track of what instructions they have been given, technical details, notes from meetings and much, much more. This information is highly likely to provide an advantage to any would be attacker. Personnel – What about the in-depth knowledge that your skilled staff walk around with everyday locked in their heads. It’s not easy to manage but there are means of mitigating potential loss. A prime and typical example here is as follows: o
It is not uncommon for an organisation when having a new application or system installed to have only one member of staff trained by the vendor in this topic. This at first glance is an understandable cost saving for the organisation. That staff member returns from training and goes about his business configuring the application for optimal benefit to his organisation. The information he gained in training and then furthered in practice is an asset to the organisation. There is a risk associated that the staff member may become incapacitated or leave, and this would be likely to result in an immediate and measurable impact on the organisation.
Audio – Many executives now use portable audio devices to store information that they need to access at a later date. This information is likely to be of the utmost importance to the organisation and must be considered during this exercise. Also, do not overlook the recordings of telephone conversations which are frequently made ‘for training purposes’. Again this media may have very large amounts of valuable information.
Computer (online) based records The group of Computer (online) based records includes all the information that is stored in your live computer systems. This is the area that will be foremost on the minds of those responsible for identifying information assets. The difficulty here is ensuring that all online computer based records are included throughout the organisation. The obvious areas that need to be considered will include:
Central system file storage areas
Outsourced file storage areas
Central databases
Messaging information
Online archives
However, despite the obviousness of this broad asset group there are also areas that could easily be missed during the asset roundup and these include:
Information stored on standalone computers
Information stored on users desktop computers Page 4 of 7
Steve Simpson – Principal Consultant Infosec Plus Consulting
Information in non centrally stored databases
Information duplication
Information published on corporate websites
Computer (offline) based records The final broad asset group to consider is that of Computer (offline) based records. The most obvious examples of offline information assets are backup tapes or other media; these are a highly important asset to any organisation when considering their contribution to the business continuity or disaster recovery strategies. However it is for these same reasons that it is equally attractive to any potential attacker. Therefore it is essential that all backup media be accounted for within the asset gathering exercise. Another area of offline computer based records that has received a lot of press in recent years is the data that is stored on the hard disk drives of PC’s which are no longer in use, or on old hard disk drives removed during an upgrade operation. There have been far too many organisations embarrassed by having their sensitive and valuable information assets distributed externally when old computer equipment has been sold off or otherwise disposed of. What other offline information assets do we have? Writable magnetic and optical media has always been a concern to CIO’s in that it is so easy to remove information from an organisations premises. The current fear for CIOs and risk owners is that of thumb or pen drives. These flash memory devices are available anywhere and provide a very cheap means of storing large amounts of information assets. A quick surf of the net whilst writing this shows that flash memory drives are already available up to 64Gb. How many of your valuable information assets would fit onto a memory stick of that size? Pocket sized external hard drives with enormous capacities are easily available in the High Street. In addition to the potential for loss of data there have been some recent worrying adware/spyware attacks developed, that are being launched through the use of USB flash memory devices. On top of this, your Write Once Read Many (WORM) media items such as COTS software packages are also assets to the organisation that require a degree of protection. These too must be included when gathering information on the total quantity of an organisations information assets.
Conclusion At the end of your asset gathering exercise the chances are that you have now identified a list of assets that could be well in excess of twice that which was originally considered. However, this means that you should also have a much better idea of the range and quantity of the information assets that make your business run. From this knowledgeable standpoint you are in a much better position to take on the next stages of asset management which include assessing the value of the assets and identifying the threats to those assets. When these stages are complete you will be in an excellent position to perform an informed risk analysis of your assets. Without which, you are at the mercy of the advertisers and salesmen as to what security you need. With the risk assessment you can be assured that you are only paying for the security you need, not just the latest security fashion accessories.
Page 5 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Page intentionally blank
Page 6 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral information security business advisory services. Services include:
Data Loss Assessments – Data loss is a serious concern for all organisations. Many organisations each year never manage to recover from a security breach. Infosec Plus can provide you with assurance through a holistic review of your business policies, processes and procedures to establish where you may be susceptible to data loss allowing you to establish where you may be susceptible to dat loss allowing you to access the risks and apply targeted risk mitigation controls.
Holistic Security Review – A holistic review of your organisations information security including, technology, procedural, physical and personnel security measures.
Risk Assessment/Management – Assessing the risk from specific threats will give you the ability to apply the most efficient and cost effective security measures. The introduction of a risk management program can considerably reduce operational costs.
PCI Compliance Review – All organisations that store, process or transmit credit card information must comply with the Payment Card Industries Data Security Standard (PCI-DSS). Infosec Plus can guide you through this process and provide you with the information you need to gain and maintain compliance with this exacting standard.
Security Awareness – The single most effective way to reduce data loss and increase the security standing of your organisation is through the introduction of a security awareness program. Infosec Plus can guide you through the development of an awareness program and can provide one to one or one to many training sessions to get the security message across.
Network Access Control – All organisations need to protect their valuable business and personal data from the ever increasing need for system interconnectivity. Infosec Plus can guide you through the process for developing a Network Access Control policy that will allow day to day business continue in the safest possible manner.
Project Augmentation – If you are running or planning a project that needs to include security representation, Infosec Plus can provide a consultant to join your team providing expert security advice to ensure that the project provides the security that your business information assets require.
Page 7 of 7 Steve Simpson – Principal Consultant Infosec Plus Consulting
Related Documents
Information Asset Management Part 1
May 2020 26
Information Asset Management Part 3
May 2020 30
Information Asset Management Part 2
May 2020 23
Asset Management
May 2020 28
Iso27k Information Asset Inventory
November 2019 19
Management Information System Unit 3- Part 1
December 2019 34More Documents from "Sagar"
Information Asset Management Part 3
May 2020 30
Information Asset Management Part 2
May 2020 23
Information Asset Management Part 1
May 2020 26
Simplifying Password Complexity
May 2020 16
Reformed Pastor
December 2019 28