Embed Size (px)
Citation preview
Chapter 5: Asset Classification
2
Objectives
Assign information ownership responsibilities Develop and use information classification
guidelines Understand information handling and labeling
procedures Manage an information classification program Identify and inventory information systems Recognize the goal and methodology of criticality
assessments Create and implement asset classification policies
3
Introduction
What is an information asset? A definable piece of valuable information to an
organization stored in any form The information is used by the company
(regardless of size) to fulfill its mission or goal
4
What Are We Trying to Protect?
Information Systems Provide a way and a place to process, store,
transmit and communicate the information Usually a combination of both hardware and
software assets ASPs: Application Service Providers. A way to
outsource applications to avoid internal hosting and management When using an ASP, proper due diligence should be
conducted to insure the protection of the data
5
What Are We Trying to Protect? Cont. Information Ownership
ISO stands for Information Security Officer The ISO is accountable for the protection of the
organization. Compare this with: The information owner is responsible for his/her
information The information custodian is responsible for
implementing the actual controls that protect the information assets
The ISO is the central repository of security information
6
Information Classification
Definitions: Information Classification
Information classification is the organization of information assets according to their sensitivity to disclosure
Classification Systems Classification systems are labels that we assign to
identify the sensitivity levels
7
Information Classification Cont.
Government & Military Classification Systems Top Secret Secret Confidential Unclassified
8
Information Classification Cont.
Top Secret applied to “any information or material the unauthorized
disclosure of which reasonably could be expected to cause an exceptionally grave damage to the national security”
Secret applied to “any information or material the unauthorized
disclosure of which reasonably could be expected to cause serious damage to the national security”
9
Information Classification Cont.
Confidential applied to “any information or material the unauthorized
disclosure of which reasonably could be expected to cause damage to the national security”
Unclassified applied to “any information that can generally be
distributed to the public without any threat to national interest”
10
Information Classification Cont.
Commercial classification systems: No standard: each company can choose its own
system that matches its culture and needs Usually less complex than the government system The more regulated a company, the more
complex the classification system they adopt
11
Information Classification Cont.
Commercial classification systems Most systems revolve around these four
classification levels: Confidential Sensitive Restricted Public
12
Information Classification Cont.
Commercial classification systems Confidential:
Meant to be kept secret Only available to a small circle of authorized individuals Equivalent of Top Secret Disclosure would cause significant financial loss,
reputation loss and/or legal liability
13
Information Classification Cont.
Commercial classification systems Sensitive:
Does not necessarily imply legal liability and financial loss in case of disclosure
Does imply loss of reputation & personal credibility May also imply loss of privacy-related information Access should be granted on a strict need-to-know basis
14
Information Classification Cont.
Commercial classification systems Restricted:
Business-related information that should only be used and accessed internally
Unauthorized disclosure would result in impairment of the business and/or result in business, financial or legal loss
Also includes most information subjected to non-disclosure agreements
15
Information Classification Cont.
Commercial classification systems Public:
Information that does not require protection Information that is specifically intended for the public
16
Information Classification Cont.
Commercial classification systems Criteria used to classify information:
The info is not public knowledge or public domain The info has demonstrated value to the organization The info needs to be protected from the outside of the
organization The info is subject to government regulation
Question a company should ask: What’s the worst impact that would result from the
unauthorized disclosure of this bit of information?
17
Information Classification Labeling and Handling Information labeling:
Labeling is the vehicle for communicating the sensitivity level
Familiar labels: Labels must be clear & self-explanatory In electronic form, the label should be made part
of the file name In printed form, the label should be clearly visible
on the outside and in the header and/or footer
18
Information Classification Labeling and Handling Cont. Information handling:
Information must be handled in accordance with its classification
The information user is responsible for using the information in accordance with its classification level
19
Information Classification Program Lifecycle The lifecycle starts with assigning a
classification level, and ends with declassification
Information classification Procedure: A nine-step process:
Define the information asset and the supporting information system
Characterize the criticality of the information system Identify the information owner and information custodian Assign a classification level to the information
20
Information Classification Program Lifecycle Cont. Information classification Procedure
A nine-step process (cont.): Determine & implement the corresponding level of
security controls Label the information & information system Document handling procedures, including disposal Integrate the handling procedures into an information
user security awareness program Declassify information when (and if) appropriate
21
Reclassification / Declassification
The need to protect information may change With that change, the label assigned to that
information may change as well The process of downgrading sensitivity levels is
called declassification The process of upgrading sensitivity levels is
called reclassification
22
Value and Criticality of Information Systems
Information is assigned a classification level for protection purposes
Classification is only one of the elements in determining the overall value & criticality of the information to the organization
The asset’s value must be determined before a cost can be associated with protecting this asset
23
Value and Criticality of Information Systems Cont. Calculating the value of an asset:
Cost to acquire or develop asset Cost to maintain & protect asset Cost to replace asset Importance of asset to owner Competitive advantage of the information Marketability of information Impact on deliver of services Reputation Liability issues Regulatory compliance requirements
24
Value and Criticality of Information Systems Cont. An organization should always keep an
updated information asset inventory You can’t protect what you don’t know you have!
Asset Inventory Methodology: Hardware assets include (but are not limited to):
Computer equipment Communication equipment Storage media Infrastructure equipment
25
Value and Criticality of Information Systems Cont. Asset Inventory Methodology
Software assets include (but are not limited to): Operating System software Productivity software Application software
26
Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes:
Each asset should have a unique identifier Create a naming convention so that all assets are
consistently named throughout the company Each asset should have a description
What is this asset used for? Manufacturer imprint:
Hardware: Manufacturer name, model & serial numbers Software: publisher name, version number, revision
number, patch level
27
Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes:
Physical address: geographical location of the asset
Logical address: where the asset can be found in the organization’s network
Controlling entity: the department that funded the purchase/development of this asset
28
System Characterization
Articulates the understanding of the system, including the boundaries of the system being assessed, the system’s hardware and software, and the information that is stored, processed and transmitted.
Assets should be ranked based on their protection level and importance to the organization
29
System Characterization Cont.
Two criteria used to rank information: System impact
How vital is this information to the organization? Protection level
The level of protection/safeguards required
30
System Characterization Cont.
Three levels used to characterize information assets (system impact): High: breach or disruption of information would have
major business processing or customer impact Medium: breach or disruption of information would have
minor business processing or customer impact Low: breach or disruption of information would have no
business processing or customer impact
31
System Characterization Cont.
Three levels used to characterize information assets (Information protection): High: Compromise / disclosure / loss would have a
significant negative impact Medium: Compromise / disclosure / loss would have
some negative impact Low: Compromise / disclosure / loss would have a
minimal negative impact
32
System Characterization Cont.
Criticality ratings: provide the basis on which to prioritize and allocate
resources to protect information assets Also used during risk analysis and management,
disaster recovery planning and business continuity planning
Should be revised at least once a year and anytime a change driver is introduced
33
Summary
A company cannot defend its information assets unless it knows what they are and where they are. Furthermore, the company must also identify how critical these assets are to the business process.
Companies need an inventory of their assets and a classification system for those assets.
Companies should run critical analyses at least once a year.
