information asset management part 1

8/14/2019 Information Asset Management Part 1

1/7

Information Asset Management

Part 1

Identifying Information Assets

Steve Simpson CISSP


2/7

Page 2 of 7

Steve Simpson Principal Consultant Infosec Plus Consulting

Identifying Information Assets

Introduction

Why do any of us need security? When it comes right down to basics, we needsecurity to protect assets. These assets may be in physical or logical form. Thephysical assets are to a certain extent, easy to identify and therefore relatively easyto protect. However, when it comes to logical or information assets, how many of usknow the full extent of the assets that we have responsibility for? So without knowingwhat information assets we have, how can we expect to be able to secure or protectthem?

This document is designed to provide those persons with responsibilities for thesecurity of information assets with a basic understanding of information assets andhow they can be managed to the benefit of an organisation.

Information assets are all around us we cannot run a business without them and if

they get into the wrong hands they can do enormous amounts of damage. Allorganisations and establishments have information assets that are handled andcommunicated on a regular basis, and each organisation has an obligation to protectthose assets. Would you do business with an organisation that did not offer at leastsome form of protection for the information regarding your relationship with them?When you deal with another company or organisation you pass on information assets,almost without realising it, Names, appointments, contact details and frequently,banking or payment details. All of these items are information assets and must begiven a reasonable and appropriate degree of protection.

What is an Information Asset

An information asset is any piece of information in any form, that eitherprovides a benefit to the organisation possessing it, and/or has a potentiallydamaging effect if revealed outside that organisation.

Compliance

By far the most effective way of promoting how serious you are about protectinginformation assets is through either certification or compliance with a national orinternational standard such as ISO27001. Declaring compliance or certification tosuch standards broadcasts an affirmation of your commitment to securing allinformation assets entrusted to you.

However, before such compliance programmes can be considered, and in order foran organisation to consider protecting their assets, the full extent of those assetsmust be identified. Once identification has been completed and we understand fullythe extent of the information that needs to be protected, we can look seriously at thethreats posed to those assets. Only then can we accurately analyse the risks to thesevaluable pieces of information.

Sounds really simple to state, but in practice the identification of all organisationalinformation assets is often, far from easy to achieve. To complicate matters further,once an asset has been identified, both its quantity and value across the wholeorganisation is required. This difficult task is one that cannot be effectively completed

by a single person alone. By far the most effective way to initially assess the scope ofan organisations information assets is through a collaborative process which needs


3/7

Page 3 of 7


to include representatives from each and every department within the organisation.Each department will have a different viewpoint on what information is available andwhat value should be placed on an asset. Each of these viewpoints needs to beconsidered in order to have the most holistic view possible when valuing the assetsand analysing the risks to them.

The process for identifying assets to the degree that the information gathered, can beused to develop an effective analysis of the risks posed to it, needs to be achieved instages as follows:

Identify all information assets

Defining the asset groups

Assess the value and impact of an asset

Identification of threats to assets

Only when the risks to information assets have been assessed can a targetedsecurity strategy be developed. Without the risk assessment, applying security isgoing to be a hit and miss affair which will not provide confidence in its applicationand will not be cost effective.

Identification of assets

The usual conception in this technologically obsessed world is to automaticallyassume that all valuable information assets are those stored on the organisationsICT systems. The important point to note here is in the use of the term informationasset, rather than referring to data. In reality this is only one of three broad groups ofinformation assets that we need to establish.

Non-Computer based records Computer (online) based records

Computer (offline) based records

Non-Computer based records

The group most likely to be omitted without prompting by the review organiser is thatof non-Computer based records. This asset group actually requires the most thoughtduring the information gathering phase. Good old fashioned paper needs to beincluded in the gathering of asset information. An organisations paper based filing

and archiving system is easily identified and the chances are that information withinthat filing system already has further categorisation included that will be of assistancein coming phases of this activity. It is also likely that they may have been consideredas physical assets and may already be protected by some physical measures.

However there are many other sources of non-computer based information within anorganisational environment that are of equal and sometimes greater value. Thefollowing non-exhaustive list contains just a few examples of non-computer basedrecords that would need to be considered when gathering information about anorganisations assets:

Network or system diagrams, system configuration documentation and othertechnical information sheets These may be found on the walls of the engineers

department or contained in tubes for ease of storage or just kept in the deskdrawers in the engineering or IT departments. However the contents of these


4/7

Page 4 of 7


documents and diagrams could be of immense value to a person wishing to findout more about an organisation or worse, wishing to damage that organisation.

Admin assistants minute books or sheets The minutes of meetings thathave been noted down in note books or individual sheets are likely to contain

information that senior management would not wish to leave the organisation. Consultants or engineers day books Consultants, engineers, techys etcoften carry day books in order for them to keep track of what instructions theyhave been given, technical details, notes from meetings and much, much more.This information is highly likely to provide an advantage to any would be attacker.

Personnel What about the in-depth knowledge that your skilled staff walkaround with everyday locked in their heads. Its not easy to manage but there aremeans of mitigating potential loss. A prime and typical example here is asfollows:

o It is not uncommon for an organisation when having a new applicationor system installed to have only one member of staff trained by thevendor in this topic. This at first glance is an understandable costsaving for the organisation. That staff member returns from trainingand goes about his business configuring the application for optimalbenefit to his organisation. The information he gained in training andthen furthered in practice is an asset to the organisation. There is arisk associated that the staff member may become incapacitated orleave, and this would be likely to result in an immediate andmeasurable impact on the organisation.

Audio Many executives now use portable audio devices to store informationthat they need to access at a later date. This information is likely to be of theutmost importance to the organisation and must be considered during this

exercise. Also, do not overlook the recordings of telephone conversations whichare frequently made for training purposes. Again this media may have very largeamounts of valuable information.

Computer (online) based records

The group of Computer (online) based records includes all the information that isstored in your live computer systems. This is the area that will be foremost on theminds of those responsible for identifying information assets. The difficulty here isensuring that all online computer based records are included throughout theorganisation. The obvious areas that need to be considered will include:

Central system file storage areas

Outsourced file storage areas

Central databases

Messaging information

Online archives

However, despite the obviousness of this broad asset group there are also areas thatcould easily be missed during the asset roundup and these include:

Information stored on standalone computers

Information stored on users desktop computers


5/7

Page 5 of 7


Information in non centrally stored databases

Information duplication

Information published on corporate websites

Computer (offline) based records

The final broad asset group to consider is that of Computer (offline) based records.The most obvious examples of offline information assets are backup tapes or othermedia; these are a highly important asset to any organisation when considering theircontribution to the business continuity or disaster recovery strategies. However it isfor these same reasons that it is equally attractive to any potential attacker. Thereforeit is essential that all backup media be accounted for within the asset gatheringexercise.

Another area of offline computer based records that has received a lot of press inrecent years is the data that is stored on the hard disk drives of PCs which are nolonger in use, or on old hard disk drives removed during an upgrade operation. Therehave been far too many organisations embarrassed by having their sensitive andvaluable information assets distributed externally when old computer equipment hasbeen sold off or otherwise disposed of.

What other offline information assets do we have? Writable magnetic and opticalmedia has always been a concern to CIOs in that it is so easy to remove informationfrom an organisations premises. The current fear for CIOs and risk owners is that ofthumb or pen drives. These flash memory devices are available anywhere andprovide a very cheap means of storing large amounts of information assets. A quicksurf of the net whilst writing this shows that flash memory drives are already availableup to 64Gb. How many of your valuable information assets would fit onto a memory

stick of that size? Pocket sized external hard drives with enormous capacities areeasily available in the High Street. In addition to the potential for loss of data therehave been some recent worrying adware/spyware attacks developed, that are beinglaunched through the use of USB flash memory devices.

On top of this, your Write Once Read Many (WORM) media items such as COTSsoftware packages are also assets to the organisation that require a degree ofprotection. These too must be included when gathering information on the totalquantity of an organisations information assets.

Conclusion

At the end of your asset gathering exercise the chances are that you have nowidentified a list of assets that could be well in excess of twice that which wasoriginally considered. However, this means that you should also have a much betteridea of the range and quantity of the information assets that make your business run.From this knowledgeable standpoint you are in a much better position to take on thenext stages of asset management which include assessing the value of the assetsand identifying the threats to those assets. When these stages are complete you willbe in an excellent position to perform an informed risk analysis of your assets.Without which, you are at the mercy of the advertisers and salesmen as to whatsecurity you need. With the risk assessment you can be assured that you are onlypaying for the security you need, not just the latest security fashion accessories.


6/7


7/7

Page 7 of 7


Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,vender neutral information security business advisory services. Services include:

Data Loss Assessments Data loss is a serious concern for allorganisations. Many organisations each year never manage to recoverfrom a security breach. Infosec Plus can provide you with assurancethrough a holistic review of your business policies, processes andprocedures to establish where you may be susceptible to data lossallowing you to establish where you may be susceptible to dat lossallowing you to access the risks and apply targeted risk mitigation controls.

Holistic Security Review A holistic review of your organisationsinformation security including, technology, procedural, physical and

personnel security measures.

Risk Assessment/Management Assessing the risk from specific threatswill give you the ability to apply the most efficient and cost effectivesecurity measures. The introduction of a risk management program canconsiderably reduce operational costs.

PCI Compliance Review All organisations that store, process or transmitcredit card information must comply with the Payment Card IndustriesData Security Standard (PCI-DSS). Infosec Plus can guide you throughthis process and provide you with the information you need to gain andmaintain compliance with this exacting standard.

Security Awareness The single most effective way to reduce data lossand increase the security standing of your organisation is through theintroduction of a security awareness program. Infosec Plus can guide youthrough the development of an awareness program and can provide oneto one or one to many training sessions to get the security messageacross.

Network Access Control All organisations need to protect their valuablebusiness and personal data from the ever increasing need for systeminterconnectivity. Infosec Plus can guide you through the process fordeveloping a Network Access Control policy that will allow day to daybusiness continue in the safest possible manner.

Project Augmentation If you are running or planning a project that needsto include security representation, Infosec Plus can provide a consultantto join your team providing expert security advice to ensure that theproject provides the security that your business information assets require.

information asset management part 1

Documents