Asset Management Lesson 2 PDF
Document Details
Uploaded by WellBalancedParody
Tags
Related
Summary
This document provides an introduction to asset management, outlining its fundamental objective and defining assets. It also details different types of assets and the importance of information asset management and emphasizes the role of standards like ISO 27001. Focuses on the importance of identifying, tracking, and classifying, assets.
Full Transcript
Lesson 2 Asset Management Introduction The fundamental objective of an assurance management program is to protect the CIA of an organization's assets throughout the life cycle following the MSR model. A security risk assessment exercise conducted according t...
Lesson 2 Asset Management Introduction The fundamental objective of an assurance management program is to protect the CIA of an organization's assets throughout the life cycle following the MSR model. A security risk assessment exercise conducted according to best practices begins with identifying assets and is followed by assessing the assets' sensitivity and criticality— guarantees that asset protection is proportional to the asset's value. Asset − is a resource with economic value that an individual, corporation, or country owns or controls with the expectation that it will provide a future benefit. Asset Management - can be defined as systematic and coordinated activities and practices through which an organization optimally and sustainably manages its assets and asset systems, associated performance, risks, and expenditures over its life cycles to achieve its organizational strategic plan. − Asset and data management is based on the idea that it is vital to identify, track, classify, and assign ownership for the most important assets in the organization to ensure they are adequately protected. − Information Asset is an item of value containing information. − Example: Tracking inventory of IT hardware. − ISO 27001: Information Security Management Systems is the international standard that provides a framework for Information Security Management Systems (ISMS) to provide continued confidentiality, integrity, and availability of information and legal compliance, physical and technical controls involved in an organization's information risk management processes. − ISO 27001 certification is essential for protecting your most vital assets like employee and client information, brand image, and other private information. The ISO standard includes a process-based approach to initiating, implementing, operating, and maintaining your ISMS. − ISO 27001 implementation is an ideal response to customer and legal requirements such as the General Data Protection Regulation (GDPR) and potential security threats, including cybercrime, personal data breaches, vandalism/terrorism, fire/damage, misuse, theft, and viral attacks. Module II 2 − ISO 27002 Information Technology – Security Techniques – Code of Practice is a supplementary standard that focuses on the information security controls that an organization chooses to implement. − ISO 27002 is an information security standard "code of practice" for information security controls - a generic, advisory document, not a formal specification such as ISO/IEC 27001. It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity, and availability of information. Think Question #1 Internet Research: 1. What is/are the difference/s between ISO 27001 and ISO 27002? 2. Go to https://www.businesstechweekly.com/legal-and- compliance/iso27001-certification/iso-27001-implementation/. What are the 10 steps to Implement ISO 27001. 3. What is PDCA and its relevance to item no. 2? Types of Assets 1. Information Assets – good quality data and information to develop, optimize and implement the asset management plan. 2. Human Asset – Employees, temporary staff, contractors, volunteers, etc., the behaviors, knowledge, and competence of the workforce have a fundamental influence on the performance of the physical assets. 3. Financial Assets - financial resources are required for infrastructure investments, operation, maintenance, and materials. 4. Intangible Assets - such as intellectual property (IP), brand, and reputation 5. Physical Assets associated with processing and infrastructure a. Hardware – Typically, IT servers, network equipment, workstations, mobile devices, etc. b. Software – Purchased or bespoke(made for a particular customer or user software c. Services – The actual service provided to end-users (e.g., database systems, e-mail, etc.) d. Locations – Sites, buildings, offices, etc. Any asset can be grouped logically according to several factors such as: − Classification – e.g., public, internal, confidential, etc − Information type – e.g., personal, personal sensitive, commercial, etc − Financial or non-financial value Module II – Lesson 2 ITP103|Information Assurance & Security II 3 The principles of asset management Asset management is a holistic view and can unite different parts of an organization to pursue shared strategic objectives. The fundamental principles and attributes of successful asset management can be explained as follows: − Holistic: looking at the whole picture, i.e., the combined implications of managing all aspects (this includes the combination of different asset types, the functional interdependencies and contributions of assets within asset systems, and the different asset life cycle phases and related activities), rather than a compartmentalized approach. − Systematic: a methodical approach, promoting consistent, repeatable, and auditable decisions and actions. − Systemic: considering the assets in their asset system context and optimizing the asset systems value (including sustainable performance, cost, and risks) rather than optimizing individual assets in isolation. − Risk-based: focussing resources and expenditure, and setting priorities appropriate to the identified risks and the associated cost/benefits; − Optimal: establishing the best value compromise between competing factors, such as performance, cost, and risk, associated with the assets over their life cycles. − Sustainable: considering the long-term consequences of short-term activities to ensure that adequate provision is made for future requirements and obligations (such as economic or environmental sustainability, system performance, societal responsibility, and other long-term objectives). − Integrated: recognizing that interdependencies and combined effects are vital to success. This requires a combination of the above attributes, coordinated to deliver a joined-up approach and net value. Responsibility for Assets − The assignment & control of an asset to an identified individual or entity within the organization is exercising risk management and security responsibilities. − Asset responsibility provides accountability for the protection of the assets under the individual's control. Protection includes appropriate information assurance and access control failures resulting in unauthorized access to and using the assets. 1. Inventory of Assets - The organization establishes a baseline by identifying and recording important information about assets such as their location, license information, security classification, or categorization. Placing data into categories is the core of the asset management process, ensuring that the movement of assets and changes to its information is documented and updated regularly. Following this process ensures that important information about the asset is available readily. Module II – Lesson 2 ITP103|Information Assurance & Security II 4 2. Ownership of Assets - It is essential to establish that each asset has an assigned owner. An owner can be an individual or a functional role (for example, the head of finance). Designation as an "owner" means that the individual or party is responsible for the security of the asset and assigns ultimate accountability. The owner ensures that assets are correctly classified, and asset use authorizations are reviewed periodically. The owner can delegate the implementation of information assurance to someone else; however, the overall accountability remains with the owner. 3. Acceptable Use of Assets - Acceptable use of information and assets is vital to get right. Rules for acceptable use of assets are often documented in an "Acceptable Use Policy." − The rules for acceptable use must consider employees, temporary staff, contractors, and other third parties applicable across the information assets they have access to. All relevant parties must have access to the set of documented acceptable use rules, and these are reinforced during regular training and information security awareness, compliance-related activity. − For example, several different assets categorized as sensitive and mission-critical may be covered by the same policies and associated procedures. Additionally, disclosure and release of information should be defined in policies and procedures. The use of nondisclosure agreements and information disclosure processes should be cited in asset use policies. The data owner recommends the parameters of acceptable use for their assets based on the services from the MSR model. Think Question #2 Internet Research: 1. Example of an Acceptable Use Policy 2. What is a nondisclosure agreement? 4. Return of Assets - All employees and external party users are expected to return any organizational and information assets upon termination of their employment, contract, or agreement. It must be an obligation for employees and external users to return all the assets, and these obligations would be expected in the relevant agreements with staff, contractors, and others. Information Classification − To ensure that information receives an appropriate level of protection following its importance to the organization. − Information should be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. Module II – Lesson 2 ITP103|Information Assurance & Security II 5 1. Classification of Information - The information must be classified in terms of legal requirements, value, criticality, and sensitivity to any unauthorized disclosure or modification, ideally classified to reflect business activity rather than inhibit or complicate it. For example, information made publicly available, e.g., on a website, might just be marked 'public.' In contrast, confidential or commercial confidence is evident because the information is more sensitive than the public. For example: for a mid-size organization, you may use this kind of information classification level with three confidential levels and one public level: − Confidential (top confidentiality level) − Restricted (medium confidentiality level) − Internal use (lowest level of confidentiality) − Public (everyone can see the information) Think Question #3 Reading Assignment: Read Information Classification (Categorization) Example on page 104-108 of the text book. 1. Differentiate classification from categorization? 2. What does a “High” potential impact level mean in relation to the different security objective? 3. Why is there a need to adjust/finalize information impact level shown in figure 10-2? 2. Labeling of Asset Control - An appropriate set of procedures for information labeling should be developed and implemented following the information classification scheme adopted by the organization. − The labeling should reflect the classification scheme established classification of information. − The labels should be easily recognizable − The procedures should guide where and how labels are attached to how the information is accessed, or the assets are handled depending on the type of media. − The procedures can define cases where labeling is omitted, e.g., labeling of non-confidential information. − Labeling of classified/category information is a key requirement for information sharing arrangements. − Classified assets are easier to identify and accordingly to steal by insiders or external attackers. 3. Handling of Assets - Procedures for handling assets should be developed and implemented following the information classification scheme adopted by the organization. Procedures should be drawn up for handling processing, storing, and communicating information consistent with its classification. The following items should be considered: Module II – Lesson 2 ITP103|Information Assurance & Security II 6 1. access restrictions supporting the protection requirements for each level of classification 2. maintenance of a formal record of the authorized recipients of assets 3. protection of temporary or permanent copies of information to a level consistent with the protection of the original information 4. storage of IT assets following manufacturers' specifications; 5. clear marking of all copies of media for the attention of the authorized recipient. Media Handling − To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media. 1. Management of Removable Media - Procedures should be implemented for the management of removable media following the classification scheme adopted by the organization. The following guidelines for the management of removable media should be considered: 1. if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable; 2. where necessary and practical, authorization should be required for media removed from the organization, and a record of such removals should be kept to maintain an audit trail; 3. all media should be stored in a safe, secure environment, following manufacturers' specifications; 4. if data confidentiality or integrity are important considerations. Cryptographic techniques should be used to protect data on removable media; 5. mitigating the risk of media degrading while stored data is still needed, and the data should be transferred to fresh media before becoming unreadable; 6. multiple copies of valuable data should be stored on separate media to reduce the risk of coincidental data damage or loss; 7. registration of removable media should be considered to limit the opportunity for data loss; 8. removable media drives should only be enabled if there is a business reason for doing so; and 9. where there is a need muse removable media, the transfer of information to such media should be monitored. Procedures and authorization levels should be documented. Module II – Lesson 2 ITP103|Information Assurance & Security II 7 2. Disposal of Media - Media should be disposed of securely when no longer required, using formal procedures. Procedures for secure media disposal be established to minimize confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered: 1. Media containing confidential information should be stored and disposed of securely. e.g., by incineration or shredding. or erasure of data for use by another application within the organization; 2. procedures should be in place to identify the items that might require secure disposal; 3. it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate the sensitive items; 4. many organizations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience; and 5. disposal of sensitive items should be logged to maintain an audit trail. When accumulating media for disposal, consideration should be given to the aggregation effect, which can cause a large quantity of non- sensitive information to become sensitive. Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. 3. Physical Media Transfer - Media containing information should be protected against unauthorized access, misuse, or corruption during transportation. The following guidelines should be considered to protect media containing the information being transported: 1. reliable transport or couriers should be used; 2. a list of authorized couriers should be agreed upon with management; 3. procedures to verify the identification of couriers should be developed; 4. packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and following any manufacturers' specifications, for example, protecting against any environmental factors that may reduce the media's restoration effectiveness, such as exposure to heat, moisture, or electromagnetic fields; and Module II – Lesson 2 ITP103|Information Assurance & Security II 8 5. logs should be kept, identifying the content of the media, the protection applied, and recording the times of transfer to the transit custodians and receipt at the destination. Information can be vulnerable to unauthorized access, misuse, or corruption during physical transport, such as sending media via the postal service or courier. In this control, the media include paper documents. When confidential information on media is not encrypted, additional physical protection of the media should be considered. Assignment: Answer all think questions posted in this lesson. REFERENCES: Schou, C., & Hernandez, S. (2014). Information Assurance Handbook: Effective Computer Security and Risk Management Strategies (1st ed.) [E-book]. McGraw-Hill Education. Contributor, T. (2009, September 1). ISO 27001. WhatIs.Com. https://whatis.techtarget.com/definition/ISO-27001 Panhalkar, T. (2020, July 17). ISO 27001 Annex: A.8 Asset Management. Infosavvy Security and IT Management Training. https://info-savvy.com/iso-27001-annex-a-8- asset-management/ ISO/IEC 27002 code of practice. (n.d.). SecAware. Retrieved July 24, 2021, from https://www.iso27001security.com/html/27002.html P., & Preteshbiswas, V. A. P. B. (2021, March 31). ISO 27001:2013 A. 8 Asset management. ISO Consultant in Kuwait. https://isoconsultantkuwait.com/2019/12/08/iso-270012013-a-8-asset- management/ What is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019. (2020, September 30). Digital Guardian. https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation- understanding-and-complying-gdpr-data- protection#:%7E:text=A%20Definition%20of%20GDPR%20(General,protect%20EU%20ci tizens’%20personal%20data. What You Need to Know About Assets. (n.d.). Investopedia. Retrieved July 24, 2021, from https://www.investopedia.com/terms/a/asset.asp Module II – Lesson 2 ITP103|Information Assurance & Security II