Information Security Asset Management Quiz

Questions and Answers

Which of the following is considered a human asset within an organization?

Brand reputation

Physical servers

Software applications

Staff members (correct)

Intangible assets can include elements like brand and reputation.

True

What does the Recovery Time Objective estimate?

The duration an organization can operate without an asset.

_________ controls are part of the systems and services that support an organization.

Environmental

Match the following asset classes with their examples:

Information = Data or knowledge resources Software = Applications and programs Physical/hardware = Servers and devices Services = Support provided by staff

What is a common concern when discussing physical assets?

Physical damage

What is the primary goal of asset identification in information security?

To produce an asset register

Human assets are generally not a source of vulnerabilities for organizations.

False

Intangible assets, such as brand and reputation, are not considered key assets in information security.

False

What are the phases of the information life cycle?

Acquisition, Use, Archival, Disposal

What might occur if the power grid goes down?

Disruption of IT support infrastructure.

The primary focus of asset identification includes _____, software, hardware, services, people, and intangibles.

information

Which of the following is not typically included in an asset register?

Policies and procedures

Match the type of asset to its description:

Information = Stored electronically or on paper Software = Operating systems and applications Physical/Hardware = Computers, servers, and wiring Services = Supporting systems such as power and cooling

Acquisition of information can only occur through new software purchases.

False

What is a key element that may be required when acquiring information?

Processing to make information useful

What is the primary purpose of an asset register?

To list assets, evaluate their importance, and assign accountability

An asset's likelihood of damage is not related to its impact on a business.

False

What are the two main components that evaluate the potential effect of asset loss?

Likelihood of damage/loss and impact of damage/loss

The __________ of damage/loss for the customer credit card database is categorized as low.

likelihood

Match the following asset categories with their descriptions:

Sales = Concerned with customer transactions and records IT = Responsible for infrastructure and technology systems Finance = Manages financial data and reporting Human Resources = Oversees employee information and recruitment

What is a key consideration when managing archived data sets?

Encryption should be applied as a minimum control.

Only authorized personnel should have access to archival data.

True

What is one method to ensure proper destruction of physical data storage devices?

Degaussing

Information that is not in use should have __________ controls applied to prevent unauthorized access.

appropriate

Match the data management processes with their focus:

Use = Utilization in business operations Archival = Storage of inactive data Disposal = Secure destruction of data Infrastructure = Assets supporting data management

Which of the following is NOT a potential challenge in data disposal?

Making data available to all users.

Data must be retained indefinitely to avoid data loss.

False

Name a type of security that is important for safeguarding databases.

Database security

Which category has the longest timeframe for response?

Non-essential

An urgent task needs to be addressed within 72 hours.

False

What is the maximum allowable outage for the LAN Server?

8 hours

The loss of __________ can lead to delayed income.

revenue

Which of the following is considered a critical resource?

E-mail server

Match the following processes with their corresponding resource priority:

Payroll Processing = High Time and attendance reporting = Medium E-mail = Low Time and attendance verification = High

Which of the following could result from a loss of reputation?

All of the above

What is one example of a violation that could arise from asset loss?

Violations of contract agreements

Study Notes

Information Security Lecture 5 - Assets

• Assets are anything with value that contributes to business operations.
• Asset identification is the first stage in risk assessment.
• The goal of this initial phase is the creation of an asset register.
• The asset register lists all important assets and who is responsible for them.

Asset Identification

• Information assets include both electronically and physically stored data.
• Software assets include operating systems, applications, and development tools.
• Physical assets are those that manipulate information (e.g., computers, servers, wiring, and fiber).
• Services support the business process (e.g., heating, cooling, power, and lighting).
• People possessing the skills and knowledge to support or implement business processes are also considered assets.
• Intangible assets include brand reputation.

Asset Focus

• The diagram illustrates the different types of assets under junior and senior focus.
• Categories include intangible assets, people, systems and services, physical assets, hardware and software, information, and data.

Information Assets

• Information assets include digital assets within server databases, removable media, and traditional paper.
• Business-critical knowledge held by staff members is also an asset.
• Information can be acquired from other sources (e.g. buying datasets or taking customer details).
• Some information is created from scratch (e.g. by research and development companies).

The Information Life Cycle

• The information life cycle, in its simplest form, includes acquisition, use, archiving, and disposal.

Acquisition

• Assets may be acquired from various sources.
• Web portals or dedicated interfaces are used.
• Forms completed during business processes are also used.
• Processing is usually required to make information useful, including attaching metadata, and applying policy controls (like encryption when needed).

Use

• Prepared and stored information can be used as part of business processes.
• It is used and modified by many users.
• Defining appropriate metadata during the acquisition stage is important, as use is one of the most challenging stages for CIA (confidentiality, integrity, availability).
• Internal consistency across data stores is critical.

Archival

• What happens to information when it is not in use?
• Unauthorized access/modification can occur without appropriate controls.
• Archiving can be a basis for data backups, but it isn't the same as archiving.
• Controls need to be applied to archived data to protect it.
• Encryption is a minimum level of protection for archives.

Disposal

• Information needs to be deleted at the right time; not so soon that it is impossible to recover it in the case of an attack, but not so long that costs and compliance issues are impacted.
• Data must be properly destroyed (e.g. physical devices wiped, degaussed or shredded).
• Distributed data requires careful removal of all copies
• Dealing with third parties presents additional challenges.

Data in Use, Motion, and Rest

• Data in use is actively changed and stored in databases, warehouses, and spreadsheets (e.g, active data under constant change).
• Data in motion is data being transferred on a network, or temporarily stored in a computer's memory to be read or updated (e.g., data traversing a network).
• Data at rest resides in storage, like databases, data warehouses, spreadsheets, archives, tapes or offsite backups (e.g., inactive data stored physically).

Infrastructure

• Crucial infrastructure used during all stages.
• Understanding infrastructure helps identify threat vectors and assess risk.
• Key areas to consider include server/network security, database security, and host-based security.

Software/Service Assets

• Software/services provide access to data or tools to process data.
• Data accuracy and algorithms need careful consideration.
• Software/services are distributed throughout the network on host machines, servers and customer-facing websites.
• Denial-of-service attacks can prevent access to information.

Physical Assets

• Physical assets house software/business and provide communication channels.
• Physical damage/attacks to physical assets are significant.
• Considerations extend to network-based attacks.

Systems and Services

• Support systems like IT infrastructure, environmental controls, financial or legal support (where applicable).
• May not want to solely consider attacks (e.g., power outage).

Human Assets

• Staff and stakeholders are crucial parts of an organisation.
• They are a source of knowledge, skills and experience that is often irreplaceable.
• They can also be a primary source of vulnerabilities.
• Staff turnover can be a security issue.

Intangible Assets

• Intangible assets include brand, reputation, and broader organisational ideas.
• Their value can vary depending on the organisation.
• Attacks can target intangible assets by compromising other assets.
• The case for a comprehensive ISMS can be assisted by understanding and defining these intangible assets.

Asset Register

• List all assets and their importance/evaluation with who is accountable.
• The owner of an asset should be involved in risk analysis.

Example (Asset Register entry)

• Shows entries that would need information about the asset involved.

Estimating the Recovery Time Objective (RTO)

• Calculate how long an organisation can function without an asset.
• Asset classifications like non-essential (30 days), normal (7 days), important (72 hours), urgent (24 hours) and critical (minutes to hours) can be used.
• Critical assets need strong backups and redundancy.

Assigning value to assets

• Each asset is characterised according to its importance to a particular organisational process.
• These include loss of reputation, loss of competitive advantage, increase in operational expenses, contract violations, delayed income, loss in revenue, and loss in productivity.

Description

Test your knowledge on asset management in information security. This quiz covers various types of assets, their classifications, and the importance of asset identification. Understand key concepts like Recovery Time Objective and the information life cycle phases to boost your expertise.