You are on page 1of 8

Information Asset Management

Part 2 – Defining Information Asset Groups

Steve Simpson CISSP

Defining the Information Asset Groups and Impacts

Introduction
Following on from the previous document you should now have a really good idea of what information assets are and have identified those which are important to the running of your business. As previously stated, the chances are that there is now a list that is well in excess of twice that which was originally estimated. In fact there could well to be a potentially enormous quantity of data that has been identified. This information is most likely being protected at various levels and to various degrees if indeed it is being protected at all. It is also likely that the protection being given has more to do with where the information is stored rather than being based upon a calculated risk assessment having been carried out. The information needs to be protected but it is unlikely to require the same level of protection across the board. This would not be practical, effective or economical to achieve. Financial information regarding a contract being established with a potentially new client needs a different level of protection to the stationary order for the finance department. Yet both are information assets, both originated from the same broad group (computer on-line based records), both are likely to be stored in the same file system on the computer, and both may even be accessible by the same group of users (finance branch staff). This exaggerated example shows that the broad groups used in the first document are adequate as a means of being thought provoking in the process of gathering details about the information assets, but are not sufficient to assess the security risks or necessary protection to those assets. Therefore further groupings must be established that link the information assets by the way that they need to be protected. From a risk management perspective the best way to group assets for risk evaluation is to place them in groups where the sensitivity of the information is the same and the impact should the information be compromised is the same. The actual groupings used by an organisation will depend upon their core business and could vary widely from company to company. However, some suggested information asset groups might include:  Personnel information – Information containing personal details of the type which is likely to be included within national legislation or which would be useful to anyone attempting identify theft type attacks.  Financial information – Information containing details of a financial nature personnel salary, contract information or corporate standing. This group could include various sub groups if the impact of the compromise of such information is not equal.  Contract information – Information of a contractual sensitive nature which would be of value to business competitors.  Business IP (Business critical data) – This information group would contain your core business information assets (such as a brewers secret beer recipe, or a software companies source code).  Management information – Information on management related topics, not intended for distribution to persons below management level.  Board specific information – Information on corporate board specific topics, not intended for distribution to persons not part of the executive board.

Page 2 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

 Technical information – Information of a technical or system nature that could be of invaluable use to potential hacker (external or internal).  Production data – information specific to the processes of a manufacturing or utility organisation  Design data – information relating to specific designs (although this could be included within the Business IP group)  Admin or general information – Information that contains general items that would not have any particularly damaging effects if compromised.

Assessing the value of an asset group
Each information asset now needs to be allocated an owner, in most cases there will be a simple and logical choice of owner (often the creator of the information) but there will also be those that require a little more thought than the others do. The asset owner must be aware that that they are the owner (sounds simple but there have been occasions where the owner of a piece of information has not been aware of this responsibility). The owner needs to have a reason for owning the asset and must understand the content and value of the asset. Before an asset can be valued, there needs to be a standardised measure of value. The generation of such metrics is likely to require the development of an organisational asset value plan, this will require a considerable amount of thought, discussion and yet again, interdepartmental collaboration. In order for the agreed value to be of most use, it is worth considering tying this value to the level of impact for that item of information. Impact in this sense is a rating of the damage that the release of that piece of information would have on the organisation should the information inadvertently be compromised or become public knowledge. Governments and Defence organisations have got this right (how often does anyone get to say that), where the assessment of the value and impact of information assets are concerned. Most people will have come across the classification or protective marking system which generally grades information as falling into one of these groups:      Unclassified Restricted Confidential Secret Top Secret

One of these values is associated with every information asset item within a Government or Defence organisation. To take this even further in organising and for ease of identification, each of the information asset items is required to be labelled with its given value. This is a great visible aid when calculating the risks to each asset. No one is going to suggest that all organisations should adopt an information valuing system as rigid as this but it is worth looking at to see how Government and Defence organisations calculate the value of a piece of information. Each information asset is evaluated (usually during its creation) and at any time that it is modified to establish
Page 3 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

what the consequences would be if that piece of information was released outside of its intended target environment. A greatly simplified explanation example for this process could be that if there were no real consequences of an item of information being released or if the information is already public knowledge, then that piece of information can be assessed as having a value of Unclassified. However at the other end of the scale, if the release of an information asset could potentially put a person’s life in jeopardy then the value would have to be much higher and therefore is likely to be classified as Top Secret. Obviously not all valuations would be so straightforward but this should give you some idea of how the value of information assets can greatly vary, and how criteria for the allocation of values could be developed. This unfortunately and obviously does not directly equate to a corporate private sector situation. It is unlikely (although not completely out of the question) that the release of information could result in loss of life. A commercial enterprise is however going to have huge concerns about critical business information leaking out from their organisation, which could lose them their market share or their position at the forefront of their industry. It would not be practical or necessary for all organisations to develop a system whereby it was mandatory for all their information assets to be categorised and labelled. Linking a label specifically to an impact level in the simplified way described above would be particularly difficult to achieve. It may therefore be more practical in some cases to develop two systems; one for identifying restrictions to access and therefore potentially to its storage, and a second for identifying the impact level. Identification of restrictions to access is relatively straightforward and flexible to the needs of any organisation. All organisations must have some information assets that they consider to be sensitive in particular assets that fall into the category of business IP (business critical information) are likely to require restrictions put on them. Likewise most organisations will have information such as personal details that fall into a category as requiring some protection by law or through the mandatory compliance with other governance influences. It would be of great benefit to the organisation if the information assets that fall into these categories could be easily identified. Again referencing the Government and defence information labling systems, there are further categories that place further restrictions on the handling and distribution of the information. These additional categories include such things as the ‘Eyes only’ type information so regularly emphasised in the movie industry and also the more commonly seen ‘in-confidence’ range of markings. This is where an individual organisation could benefit from selecting specific types of information asset and introducing a marking and labelling system to identify them. Labels that match too closely the Government and Defence classification system should be avoided however, to prevent confusion, particularly by organisations that have dealings with Government and Defence departments. This unfortunately counts out the label of ‘confidential’ as a standalone label but does not exclude other derivatives such as the third suggestion below. Labels that may be of use to a corporate environment could include:     Board Only Management Only Business Confidential Personnel in Confidence
Page 4 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

  

Contracts in Confidence Commercial in Confidence Finance in Confidence

There are far too many possibilities to list here but as long as the marking system is standardised and understood throughout the organisation implementing it then almost any marking can be used. If an organisation chooses to implement such a system then a system of definitions and boundaries needs to be established in order to regulate the use of the terms. The following table shows a possible single example for such a system of definitions:

Information Label BOARD ONLY

Impact on Confidentiality If the release of information beyond members of the board, could compromise the position of the board or damage the image/reputation of the organisation. Table 1

Restriction of Access Corporate board members and authorised PA’s only.

The above table shows a single example for a representative marking; however, it only includes the impact on confidentiality. It may be necessarily for the impacts on the availability and integrity of the information to be considered as well. A further consideration would be the impact upon compliance as may be the case where regulatory compliance is an organisational concern. This table also only includes a column to define restrictions to on-line information aspects, other aspects which may require consideration are restrictions to storage, means of distribution (handling) etc. It is unlikely to be practical for each and every item of information to be physically labelled. However it would be good policy to select the most sensitive items and make the labelling of these assets mandatory for ease of control over the assets. Policy regarding such labelling needs to be specific about ensuring that all removable media items containing sensitive information assets has a physical label identifying it. This allows for easy identification of such an asset when outside its normal environment.

Assessing the Impact value of an asset
Whilst that takes care of categorising and handling instructions for the information assets we are still in need of giving the assets a value for impact measurement purposes. Here, further influencing factors must be considered that differ from the way in which a Government or Defence organisation would view impact. A commercial organisation will have to consider issues such as potential damage to their brand name and to potential impact on share prices and market position. The simplest means of applying a value to an asset is by associating a number in a scale between 1 and 5. 1 being given to an asset where there is minimal or no impact associated with the compromise of that information and 5 being given to an
Page 5 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

asset where there is foreseen to be a large amount of impact resulting from the compromise of that information. In the same way that a table was drawn up for defining the allocation of security related markings for information, a table is required here to define the differences between the 5 levels of value. The actual table used needs to provide clear and specific guidance for the allocation of these values. The table below gives a very generic structure that would need considerable expansion to be of use and is only shown here as a starter to provoke thought on how impact affects your business. Much as I would hate to suggest that any organisation needs to have any even more meetings than they already do have the defining and allocating of impact values is best achieved in a committee type situation.

Value 5 4 3 2

Rating Very High High Medium Low

Definition Impact of compromise of asset would cause grave damage to the organisation. Impact of compromise of asset would cause serious damage to the organisation. Impact of compromise of asset would cause detrimental damage to the organisation. Impact of compromise of asset would cause little damage to the organisation. Impact of compromise of asset would cause minimal damage to the organisation. Table 2

1

Negligible

Once a plan has been developed to define impact levels, these levels can be associated to the groups of assets defined earlier in this document rather than to the extensive quantity of individual asset items that we identified in the first document.

Conclusion
It is never going to be easy taking such a large amount of information and categorising it to the extent that it has a value, but it is a very worthwhile exercise all the same. You will now have a much better picture of the value of information assets and possibly more importantly have a much better idea of what impact the loss of such assets would cause. We are yet another step closer to being able to perform a meaningful risk assessment that will greatly aid in providing you with the most cost effective security plan for your business.

Page 6 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

Page intentionally blank

Page 7 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored, vender neutral information security business advisory services. Services include:  Data Loss Assessments – Data loss is a serious concern for all organisations. Many organisations each year never manage to recover from a security breach. Infosec Plus can provide you with assurance through a holistic review of your business policies, processes and procedures to establish where you may be susceptible to data loss allowing you to establish where you may be susceptible to dat loss allowing you to access the risks and apply targeted risk mitigation controls. Holistic Security Review – A holistic review of your organisations information security including, technology, procedural, physical and personnel security measures. Risk Assessment/Management – Assessing the risk from specific threats will give you the ability to apply the most efficient and cost effective security measures. The introduction of a risk management program can considerably reduce operational costs. PCI Compliance Review – All organisations that store, process or transmit credit card information must comply with the Payment Card Industries Data Security Standard (PCI-DSS). Infosec Plus can guide you through this process and provide you with the information you need to gain and maintain compliance with this exacting standard. Security Awareness – The single most effective way to reduce data loss and increase the security standing of your organisation is through the introduction of a security awareness program. Infosec Plus can guide you through the development of an awareness program and can provide one to one or one to many training sessions to get the security message across. Network Access Control – All organisations need to protect their valuable business and personal data from the ever increasing need for system interconnectivity. Infosec Plus can guide you through the process for developing a Network Access Control policy that will allow day to day business continue in the safest possible manner. Project Augmentation – If you are running or planning a project that needs to include security representation, Infosec Plus can provide a consultant to join your team providing expert security advice to ensure that the project provides the security that your business information assets require.

Page 8 of 8 Steve Simpson – Principal Consultant Infosec Plus Consulting