LESSON 2 - ASSET MANAGEMENT.pdf

Full Transcript

Lesson 2

 Asset Management

Introduction

The fundamental objective of an assurance management program is to
protect the CIA of an organization's assets throughout the life cycle following
the MSR model. A security risk assessment exercise conducted according to
best practices begins with identifying assets and is followed by assessing the
assets' sensitivity and criticality— guarantees that asset protection is
proportional to the asset's value.

Asset
− is a resource with economic value that an individual, corporation, or
country owns or controls with the expectation that it will provide a
future benefit.

Asset Management - can be defined as systematic and coordinated activities
and practices through which an organization optimally and sustainably
manages its assets and asset systems, associated performance, risks, and
expenditures over its life cycles to achieve its organizational strategic plan.

− Asset and data management is based on the idea that it is vital to
identify, track, classify, and assign ownership for the most important
assets in the organization to ensure they are adequately protected.
− Information Asset is an item of value containing information.
− Example: Tracking inventory of IT hardware.
− ISO 27001: Information Security Management Systems is the
international standard that provides a framework for Information
Security Management Systems (ISMS) to provide continued
confidentiality, integrity, and availability of information and legal
compliance, physical and technical controls involved in an
organization's information risk management processes.
− ISO 27001 certification is essential for protecting your most vital assets
like employee and client information, brand image, and other private
information. The ISO standard includes a process-based approach to
initiating, implementing, operating, and maintaining your ISMS.
− ISO 27001 implementation is an ideal response to customer and legal
requirements such as the General Data Protection Regulation (GDPR)
and potential security threats, including cybercrime, personal data
breaches, vandalism/terrorism, fire/damage, misuse, theft, and viral
attacks.

Module II
 2

− ISO 27002 Information Technology – Security Techniques – Code of
Practice is a supplementary standard that focuses on the information
security controls that an organization chooses to implement.
− ISO 27002 is an information security standard "code of practice" for
information security controls - a generic, advisory document, not a
formal specification such as ISO/IEC 27001. It recommends information
security controls addressing information security control objectives
arising from risks to the confidentiality, integrity, and availability of
information.

Think Question #1
Internet Research:
1. What is/are the difference/s between ISO 27001 and ISO 27002?
2. Go to https://www.businesstechweekly.com/legal-and-
compliance/iso27001-certification/iso-27001-implementation/.
What are the 10 steps to Implement ISO 27001.
3. What is PDCA and its relevance to item no. 2?

Types of Assets

1. Information Assets – good quality data and information to develop,
optimize and implement the asset management plan.
2. Human Asset – Employees, temporary staff, contractors, volunteers,
etc., the behaviors, knowledge, and competence of the workforce have
a fundamental influence on the performance of the physical assets.
3. Financial Assets - financial resources are required for infrastructure
investments, operation, maintenance, and materials.
4. Intangible Assets - such as intellectual property (IP), brand, and
reputation
5. Physical Assets associated with processing and infrastructure
a. Hardware – Typically, IT servers, network equipment,
workstations, mobile devices, etc.
b. Software – Purchased or bespoke(made for a particular
customer or user software
c. Services – The actual service provided to end-users (e.g.,
database systems, e-mail, etc.)
d. Locations – Sites, buildings, offices, etc.

Any asset can be grouped logically according to several factors such as:

− Classification – e.g., public, internal, confidential, etc
− Information type – e.g., personal, personal sensitive, commercial, etc
− Financial or non-financial value

Module II – Lesson 2 ITP103|Information Assurance & Security II
 3

The principles of asset management
Asset management is a holistic view and can unite different parts of an
organization to pursue shared strategic objectives. The fundamental
principles and attributes of successful asset management can be explained as
follows:

− Holistic: looking at the whole picture, i.e., the combined implications
of managing all aspects (this includes the combination of different
asset types, the functional interdependencies and contributions of
assets within asset systems, and the different asset life cycle phases
and related activities), rather than a compartmentalized approach.
− Systematic: a methodical approach, promoting consistent, repeatable,
and auditable decisions and actions.
− Systemic: considering the assets in their asset system context and
optimizing the asset systems value (including sustainable performance,
cost, and risks) rather than optimizing individual assets in isolation.
− Risk-based: focussing resources and expenditure, and setting priorities
appropriate to the identified risks and the associated cost/benefits;
− Optimal: establishing the best value compromise between competing
factors, such as performance, cost, and risk, associated with the assets
over their life cycles.
− Sustainable: considering the long-term consequences of short-term
activities to ensure that adequate provision is made for future
requirements and obligations (such as economic or environmental
sustainability, system performance, societal responsibility, and other
long-term objectives).
− Integrated: recognizing that interdependencies and combined effects
are vital to success. This requires a combination of the above
attributes, coordinated to deliver a joined-up approach and net value.

Responsibility for Assets
− The assignment & control of an asset to an identified individual or
entity within the organization is exercising risk management and
security responsibilities.
− Asset responsibility provides accountability for the protection of the
assets under the individual's control. Protection includes appropriate
information assurance and access control failures resulting in
unauthorized access to and using the assets.

1. Inventory of Assets - The organization establishes a baseline by
identifying and recording important information about assets such as
their location, license information, security classification, or
categorization. Placing data into categories is the core of the asset
management process, ensuring that the movement of assets and
changes to its information is documented and updated regularly.
Following this process ensures that important information about the
asset is available readily.

Module II – Lesson 2 ITP103|Information Assurance & Security II
 4

2. Ownership of Assets - It is essential to establish that each asset has
an assigned owner. An owner can be an individual or a functional role
(for example, the head of finance). Designation as an "owner" means
that the individual or party is responsible for the security of the asset
and assigns ultimate accountability. The owner ensures that assets are
correctly classified, and asset use authorizations are reviewed
periodically. The owner can delegate the implementation of
information assurance to someone else; however, the overall
accountability remains with the owner.

3. Acceptable Use of Assets - Acceptable use of information and assets
is vital to get right. Rules for acceptable use of assets are often
documented in an "Acceptable Use Policy."

− The rules for acceptable use must consider employees,
temporary staff, contractors, and other third parties applicable
across the information assets they have access to. All relevant
parties must have access to the set of documented acceptable
use rules, and these are reinforced during regular training and
information security awareness, compliance-related activity.
− For example, several different assets categorized as sensitive
and mission-critical may be covered by the same policies and
associated procedures. Additionally, disclosure and release of
information should be defined in policies and procedures. The
use of nondisclosure agreements and information disclosure
processes should be cited in asset use policies. The data owner
recommends the parameters of acceptable use for their assets
based on the services from the MSR model.

Think Question #2
Internet Research:
1. Example of an Acceptable Use Policy
2. What is a nondisclosure agreement?

4. Return of Assets - All employees and external party users are expected
to return any organizational and information assets upon termination
of their employment, contract, or agreement. It must be an obligation
for employees and external users to return all the assets, and these
obligations would be expected in the relevant agreements with staff,
contractors, and others.

Information Classification
− To ensure that information receives an appropriate level of protection
following its importance to the organization.
− Information should be classified in terms of legal requirements, value,
criticality, and sensitivity to unauthorized disclosure or modification.

Module II – Lesson 2 ITP103|Information Assurance & Security II
 5

1. Classification of Information - The information must be classified in
terms of legal requirements, value, criticality, and sensitivity to any
unauthorized disclosure or modification, ideally classified to reflect
business activity rather than inhibit or complicate it. For example,
information made publicly available, e.g., on a website, might just be
marked 'public.' In contrast, confidential or commercial confidence is
evident because the information is more sensitive than the public.
For example: for a mid-size organization, you may use this kind of
information classification level with three confidential levels and one
public level:

− Confidential (top confidentiality level)
− Restricted (medium confidentiality level)
− Internal use (lowest level of confidentiality)
− Public (everyone can see the information)

Think Question #3
Reading Assignment: Read Information Classification (Categorization)
Example on page 104-108 of the text book.
1. Differentiate classification from categorization?
2. What does a “High” potential impact level mean in relation to the
different security objective?
3. Why is there a need to adjust/finalize information impact level
shown in figure 10-2?

2. Labeling of Asset Control - An appropriate set of procedures for
information labeling should be developed and implemented following
the information classification scheme adopted by the organization.
− The labeling should reflect the classification scheme established
classification of information.
− The labels should be easily recognizable
− The procedures should guide where and how labels are attached
to how the information is accessed, or the assets are handled
depending on the type of media.
− The procedures can define cases where labeling is omitted, e.g.,
labeling of non-confidential information.
− Labeling of classified/category information is a key requirement
for information sharing arrangements.
− Classified assets are easier to identify and accordingly to steal
by insiders or external attackers.
3. Handling of Assets - Procedures for handling assets should be
developed and implemented following the information classification
scheme adopted by the organization.
Procedures should be drawn up for handling processing, storing, and
communicating information consistent with its classification. The
following items should be considered:

Module II – Lesson 2 ITP103|Information Assurance & Security II
 6

1. access restrictions supporting the protection requirements for
each level of classification
2. maintenance of a formal record of the authorized recipients of
assets
3. protection of temporary or permanent copies of information to
a level consistent with the protection of the original
information
4. storage of IT assets following manufacturers' specifications;
5. clear marking of all copies of media for the attention of the
authorized recipient.
Media Handling
− To prevent unauthorized disclosure, modification, removal, or
destruction of information stored on media.

1. Management of Removable Media - Procedures should be
implemented for the management of removable media following the
classification scheme adopted by the organization.

The following guidelines for the management of removable media
should be considered:

1. if no longer required, the contents of any re-usable media that
are to be removed from the organization should be made
unrecoverable;
2. where necessary and practical, authorization should be
required for media removed from the organization, and a
record of such removals should be kept to maintain an audit
trail;
3. all media should be stored in a safe, secure environment,
following manufacturers' specifications;
4. if data confidentiality or integrity are important
considerations. Cryptographic techniques should be used to
protect data on removable media;
5. mitigating the risk of media degrading while stored data is still
needed, and the data should be transferred to fresh media
before becoming unreadable;
6. multiple copies of valuable data should be stored on separate
media to reduce the risk of coincidental data damage or loss;
7. registration of removable media should be considered to limit
the opportunity for data loss;
8. removable media drives should only be enabled if there is a
business reason for doing so; and
9. where there is a need muse removable media, the transfer of
information to such media should be monitored.

Procedures and authorization levels should be documented.

Module II – Lesson 2 ITP103|Information Assurance & Security II
 7

2. Disposal of Media - Media should be disposed of securely when no
longer required, using formal procedures.

Procedures for secure media disposal be established to minimize
confidential information leakage to unauthorized persons. The
procedures for the secure disposal of media containing confidential
information should be proportional to the sensitivity of that
information.

The following items should be considered:

1. Media containing confidential information should be stored and
disposed of securely. e.g., by incineration or shredding. or erasure
of data for use by another application within the organization;
2. procedures should be in place to identify the items that might
require secure disposal;
3. it may be easier to arrange for all media items to be collected and
disposed of securely, rather than attempting to separate the
sensitive items;
4. many organizations offer collection and disposal services for
media; care should be taken in selecting a suitable external party
with adequate controls and experience; and
5. disposal of sensitive items should be logged to maintain an audit
trail.

When accumulating media for disposal, consideration should be given
to the aggregation effect, which can cause a large quantity of non-
sensitive information to become sensitive.
Damaged devices containing sensitive data may require a risk
assessment to determine whether the items should be physically
destroyed rather than sent for repair or discarded.

3. Physical Media Transfer - Media containing information should be
protected against unauthorized access, misuse, or corruption during
transportation.

The following guidelines should be considered to protect media
containing the information being transported:

1. reliable transport or couriers should be used;
2. a list of authorized couriers should be agreed upon with
management;
3. procedures to verify the identification of couriers should be
developed;
4. packaging should be sufficient to protect the contents from any
physical damage likely to arise during transit and following any
manufacturers' specifications, for example, protecting against any
environmental factors that may reduce the media's restoration
effectiveness, such as exposure to heat, moisture, or
electromagnetic fields; and

Module II – Lesson 2 ITP103|Information Assurance & Security II
 8

5. logs should be kept, identifying the content of the media, the
protection applied, and recording the times of transfer to the
transit custodians and receipt at the destination.

Information can be vulnerable to unauthorized access, misuse, or
corruption during physical transport, such as sending media via the
postal service or courier. In this control, the media include paper
documents. When confidential information on media is not encrypted,
additional physical protection of the media should be considered.

 Assignment:

Answer all think questions posted in this lesson.

REFERENCES:
Schou, C., & Hernandez, S. (2014). Information Assurance Handbook: Effective
Computer Security and Risk Management Strategies (1st ed.) [E-book]. McGraw-Hill
Education.

Contributor, T. (2009, September 1). ISO 27001. WhatIs.Com.
https://whatis.techtarget.com/definition/ISO-27001

Panhalkar, T. (2020, July 17). ISO 27001 Annex: A.8 Asset Management. Infosavvy
Security and IT Management Training. https://info-savvy.com/iso-27001-annex-a-8-
asset-management/

ISO/IEC 27002 code of practice. (n.d.). SecAware. Retrieved July 24, 2021, from
https://www.iso27001security.com/html/27002.html

P., & Preteshbiswas, V. A. P. B. (2021, March 31). ISO 27001:2013 A. 8 Asset
management. ISO Consultant in Kuwait.
https://isoconsultantkuwait.com/2019/12/08/iso-270012013-a-8-asset-
management/

What is the General Data Protection Regulation? Understanding & Complying with
GDPR Requirements in 2019. (2020, September 30). Digital Guardian.
https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-
understanding-and-complying-gdpr-data-
protection#:%7E:text=A%20Definition%20of%20GDPR%20(General,protect%20EU%20ci
tizens’%20personal%20data.

What You Need to Know About Assets. (n.d.). Investopedia. Retrieved July 24, 2021,
from https://www.investopedia.com/terms/a/asset.asp

Module II – Lesson 2 ITP103|Information Assurance & Security II