Information Security Lecture 5 - Assets PDF
Document Details
Uploaded by CleanMotif
Nottingham Trent University
2025
Tags
Related
Summary
This presentation covers information security concepts, focusing on assets, identification, and registers. It explains how to define and categorize assets, assess their importance, and determine their value to a business. A key concept is the importance of defining and understanding the role of various assets during business operations.
Full Transcript
Information Security Lecture 5 – Assets Overview An overview of key assets. The process of asset identification. Production of an Asset register. 8 January 2025 2 Assets Anything that has value and contributes to business operation. First stage in risk as...
Information Security Lecture 5 – Assets Overview An overview of key assets. The process of asset identification. Production of an Asset register. 8 January 2025 2 Assets Anything that has value and contributes to business operation. First stage in risk assessment is asset identification. Eventual goal of this initial phase is the production of an asset register. Asset register will list all key assets and who is responsible for them. 8 January 2025 3 Asset Identification Information – both stored electronically or on paper etc. Software – Operating Systems, applications, development tools etc. Physical/hardware – Any asset that can manipulate information; computers, servers, wiring, fibre etc. Services – supporting services; heating, cooling, power, lighting etc. People – those who carry the skills and knowledge to support/implement business processes. Intangibles –brand, reputation etc. 8 January 2025 4 Asset Focus 8 January 2025 5 Information Assets Will include not only digital assets within server databases but also anything kept on removable media (if this is allowed) and traditional paper. May also include knowledge held by key staff members – particularly if they are business critical. Will either taken from somewhere else: e.g. taking customer details, buying rich datasets etc. Or created from scratch: e.g. companies focusing research and development. 8 January 2025 6 The information life cycle In its most simple form: Acquisition Use Archival Disposal 8 January 2025 7 Acquisition May be acquired from a number of sources. Through web portals or dedicated interfaces. Through forms completed during business process. Usually, some kind of processing will be required at this stage in order to make the information useful – attach relevant metadata (e.g. permission level), business data (project, owner). Policy controls – encrypt data where needed (Personally Identifiable Info), classification etc. 8 January 2025 8 Use After being prepared and stored it can be utilised as part of business operations. It will be read and modified by a variety of users; hence why defining appropriate metadata is important during acquisition. Most challenging phase for CIA? Must be available but only to the right people. Internal consistency a problem – working across multiple data stores where replication or modification is required. 8 January 2025 9 Archival What happens to the information when it is not being used? If not part of everyday operation – changes or unauthorised access/modification could go undetected for a long period of time without appropriate controls. Could form the basis for back-ups but this is different from archives. What controls need to be applied to archived data sets while they are not in use? Encryption at a minimum… 8 January 2025 10 Disposal When should the information be deleted; not too soon that recovery is impossible in case of attack, but not so long that costs are impacted or data compliance rules and regulations breached. We need to be certain that data is properly destroyed – physical devices can be wiped, degaussed or shredded (4-7 passes?). More difficult for distributed data – how do we ensure all copies are correctly removed. Even more difficult when dealing with third parties. 8 January 2025 11 Can be further interpreted as… 8 January 2025 12 Infrastructure What infrastructure is used during each stage? All of which will be key assets which blur the lines between the types of asset illustrated earlier. Will dictate identification of threat vectors and impact our risk analysis. Server/Network security? Database security? Host-based security? 8 January 2025 13 Software/Service Assets Provide access to data or the means with which to process the data toward a specific purpose. While we hope that the data is accurate the algorithms that process it also need to be carefully considered. Distributed throughout the network on host machines, servers, customer facing websites etc. Denial of service here prevents access to the information. 8 January 2025 14 Physical Assets Hosts & houses the software/business and provides the communication channels between other assets. Some overlap when talking about potential attacks but we might be more concerned with physical damage in the first instance. But may also consider elements of network attacks. 8 January 2025 15 Systems and Services Focus here is on support systems within wider contexts. IT support infrastructure Environmental controls. Financial/legal support – where appropriate. May not want to just consider attacks here – e.g. what happens if the power grid goes down? 8 January 2025 16 Human Assets Staff members or other key stakeholders who contribute to the daily running of an organisation. They have knowledge, skills and experience that can often be irreplaceable. Also happen to be the single biggest source of vulnerabilities for threat exploitation. Again, Information Security is not just about attacks – what happens if staff turn over is too high? 8 January 2025 17 Intangible Assets Broader organisational idea – brand, reputation etc. Aspects of these will be different from company to company and more important depending on the organisational purpose. Attacks may not be carried out against these but might be carried out with the purpose of damaging them through compromising other assets. Definition of these and the damage attacks can do is important in making the case for a comprehensive ISMS. 8 January 2025 18 Asset classes or Process Analysis List all identified resources for each asset class or category. – Information – Software – Physical/hardware – Services – People – Intangibles OR, start with a key business process and through a breakdown of critical resources required for the business process, identify key assets and the Recovery Time Objective. 8 January 2025 19 Estimate the Recovery Time Objective How long can the organisation carry on without the asset? Categories and estimates may be described as such: – Non-essential: 30 days – Normal: 7 days – Important: 72 hours – Urgent: 24 hours – Critical: minutes to hours Estimates will help to calculate risk and impact and to decide what kind of controls should be put in place. E.g. critical assets should have strong back-ups and redundancies in place. 8 January 2025 20 Input from users, business process Critical Processes Critical Resources etc. 1. Payroll Processing 1. LAN Server 2. Time and attendance reporting 2. WAN services 3. Time and attendance verification 3. E-mail 4. Time and attendance approval 4. E-mail server Process 2 Max allowable 1. LAN Server outage: 8 hours 2. WAN services 1. Delay in processing 3. E-mail 2. Inability to perform 4. E-mail server operations 3. Delay in payroll processing Resources Priority 1. LAN Server High 2. WAN services Medium 3. E-mail Low 4. E-mail server High Source: CISSP, Shona Harris. 8 January 2025 21 Assigning Value to Assets Each asset, when identified, should be classified according to its value to its relevant organisational process. Will it lead to any of the following: – Loss reputation. – Loss of competitive advantage. – Increase in operational expenses. – Violations of contract agreements/legal requirements. – Delayed income. – Loss in revenue. – Loss in productivity. Some of these will matter more depending on the business. 8 January 2025 22 Asset Register List all assets, their importance/evaluation and who is accountable for the asset. This individual should be involved in the resulting risk analysis of threats to that asset. Process/ Asset Likelihood of Impact of Value Owner Comments Asset Class damage/ loss damage/ loss 8 January 2025 23 Example Process/ Asset Likelihood Impact Value Owner Comments Asset of of Class damage/ damage/ loss loss Sales Customer credit Low Very High Reputation: Sales Data at rest card database (RTO: Very high Manager Urgent) Should this Regulatory be owned by fines: High the IT department? 8 January 2025 24 Summary Overview of asset groups/categories – primarily concerned with information governance as essential to the operation of a business. All of which are important to business operations. But present opportunities for vulnerabilities by their presence. How to produce an asset register (required for the coursework). 8 January 2025 25
