1 / 33

Chapter 5: Asset Classification

Chapter 5: Asset Classification. Objectives. Assign information ownership responsibilities Develop and use information classification guidelines Understand information handling and labeling procedures Manage an information classification program Identify and inventory information systems

sloan
Download Presentation

Chapter 5: Asset Classification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5: Asset Classification

  2. Objectives • Assign information ownership responsibilities • Develop and use information classification guidelines • Understand information handling and labeling procedures • Manage an information classification program • Identify and inventory information systems • Recognize the goal and methodology of criticality assessments • Create and implement asset classification policies

  3. Introduction • What is an information asset? • A definable piece of valuable information to an organization stored in any form • The information is used by the company (regardless of size) to fulfill its mission or goal

  4. What Are We Trying to Protect? • Information Systems • Provide a way and a place to process, store, transmit and communicate the information • Usually a combination of both hardware and software assets • ASPs: Application Service Providers. A way to outsource applications to avoid internal hosting and management • When using an ASP, proper due diligence should be conducted to insure the protection of the data

  5. What Are We Trying to Protect? Cont. • Information Ownership • ISO stands for Information Security Officer • The ISO is accountable for the protection of the organization. Compare this with: • The information owner is responsible for his/her information • The information custodian is responsible for implementing the actual controls that protect the information assets • The ISO is the central repository of security information

  6. Information Classification • Definitions: • Information Classification • Information classification is the organization of information assets according to their sensitivity to disclosure • Classification Systems • Classification systems are labels that we assign to identify the sensitivity levels

  7. Information Classification Cont. • Government & Military Classification Systems • Top Secret • Secret • Confidential • Unclassified

  8. Information Classification Cont. • Top Secret • applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause an exceptionally grave damage to the national security” • Secret • applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security”

  9. Information Classification Cont. • Confidential • applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security” • Unclassified • applied to “any information that can generally be distributed to the public without any threat to national interest”

  10. Information Classification Cont. • Commercial classification systems: • No standard: each company can choose its own system that matches its culture and needs • Usually less complex than the government system • The more regulated a company, the more complex the classification system they adopt

  11. Information Classification Cont. • Commercial classification systems • Most systems revolve around these four classification levels: • Confidential • Sensitive • Restricted • Public

  12. Information Classification Cont. • Commercial classification systems • Confidential: • Meant to be kept secret • Only available to a small circle of authorized individuals • Equivalent of Top Secret • Disclosure would cause significant financial loss, reputation loss and/or legal liability

  13. Information Classification Cont. • Commercial classification systems • Sensitive: • Does not necessarily imply legal liability and financial loss in case of disclosure • Does imply loss of reputation & personal credibility • May also imply loss of privacy-related information • Access should be granted on a strict need-to-know basis

  14. Information Classification Cont. • Commercial classification systems • Restricted: • Business-related information that should only be used and accessed internally • Unauthorized disclosure would result in impairment of the business and/or result in business, financial or legal loss • Also includes most information subjected to non-disclosure agreements

  15. Information Classification Cont. • Commercial classification systems • Public: • Information that does not require protection • Information that is specifically intended for the public

  16. Information Classification Cont. • Commercial classification systems • Criteria used to classify information: • The info is not public knowledge or public domain • The info has demonstrated value to the organization • The info needs to be protected from the outside of the organization • The info is subject to government regulation • Question a company should ask: • What’s the worst impact that would result from the unauthorized disclosure of this bit of information?

  17. Information Classification Labeling and Handling • Information labeling: • Labeling is the vehicle for communicating the sensitivity level • Familiar labels: • Labels must be clear & self-explanatory • In electronic form, the label should be made part of the file name • In printed form, the label should be clearly visible on the outside and in the header and/or footer

  18. Information Classification Labeling and Handling Cont. • Information handling: • Information must be handled in accordance with its classification • The information user is responsible for using the information in accordance with its classification level

  19. Information Classification Program Lifecycle • The lifecycle starts with assigning a classification level, and ends with declassification • Information classification Procedure: • A nine-step process: • Define the information asset and the supporting information system • Characterize the criticality of the information system • Identify the information owner and information custodian • Assign a classification level to the information

  20. Information Classification Program Lifecycle Cont. • Information classification Procedure • A nine-step process (cont.): • Determine & implement the corresponding level of security controls • Label the information & information system • Document handling procedures, including disposal • Integrate the handling procedures into an information user security awareness program • Declassify information when (and if) appropriate

  21. Reclassification / Declassification • The need to protect information may change • With that change, the label assigned to that information may change as well • The process of downgrading sensitivity levels is called declassification • The process of upgrading sensitivity levels is called reclassification

  22. Value and Criticality of Information Systems • Information is assigned a classification level for protection purposes • Classification is only one of the elements in determining the overall value & criticality of the information to the organization • The asset’s value must be determined before a cost can be associated with protecting this asset

  23. Value and Criticality of Information Systems Cont. • Calculating the value of an asset: • Cost to acquire or develop asset • Cost to maintain & protect asset • Cost to replace asset • Importance of asset to owner • Competitive advantage of the information • Marketability of information • Impact on deliver of services • Reputation • Liability issues • Regulatory compliance requirements

  24. Value and Criticality of Information Systems Cont. • An organization should always keep an updated information asset inventory • You can’t protect what you don’t know you have! • Asset Inventory Methodology: • Hardware assets include (but are not limited to): • Computer equipment • Communication equipment • Storage media • Infrastructure equipment

  25. Value and Criticality of Information Systems Cont. • Asset Inventory Methodology • Software assets include (but are not limited to): • Operating System software • Productivity software • Application software

  26. Value and Criticality of Information Systems Cont. • Asset Inventory characteristics & attributes: • Each asset should have a unique identifier • Create a naming convention so that all assets are consistently named throughout the company • Each asset should have a description • What is this asset used for? • Manufacturer imprint: • Hardware: Manufacturer name, model & serial numbers • Software: publisher name, version number, revision number, patch level

  27. Value and Criticality of Information Systems Cont. • Asset Inventory characteristics & attributes: • Physical address: geographical location of the asset • Logical address: where the asset can be found in the organization’s network • Controlling entity: the department that funded the purchase/development of this asset

  28. System Characterization • Articulates the understanding of the system, including the boundaries of the system being assessed, the system’s hardware and software, and the information that is stored, processed and transmitted. • Assets should be ranked based on their protection level and importance to the organization

  29. System Characterization Cont. • Two criteria used to rank information: • System impact • How vital is this information to the organization? • Protection level • The level of protection/safeguards required

  30. System Characterization Cont. • Three levels used to characterize information assets (system impact): • High: breach or disruption of information would have major business processing or customer impact • Medium: breach or disruption of information would have minor business processing or customer impact • Low: breach or disruption of information would have no business processing or customer impact

  31. System Characterization Cont. • Three levels used to characterize information assets (Information protection): • High: Compromise / disclosure / loss would have a significant negative impact • Medium: Compromise / disclosure / loss would have some negative impact • Low: Compromise / disclosure / loss would have a minimal negative impact

  32. System Characterization Cont. • Criticality ratings: • provide the basis on which to prioritize and allocate resources to protect information assets • Also used during risk analysis and management, disaster recovery planning and business continuity planning • Should be revised at least once a year and anytime a change driver is introduced

  33. Summary • A company cannot defend its information assets unless it knows what they are and where they are. Furthermore, the company must also identify how critical these assets are to the business process. • Companies need an inventory of their assets and a classification system for those assets. • Companies should run critical analyses at least once a year.

More Related