Asset Security

Asset : is anything of worth to an organization. This includes people, partners, equipment, facilities, reputation, and information.

Information life cycle

  • Acquisition (copied or created)
  • Use
  • Archival
  • Disposal

Backup : is a copy of a data set currently in use that is made for the purpose of recovering from the loss of the original data.

Archive : is a copy of a data set that is no longer in use, but is kept in case it is needed at some future point.

Classification

Information can be classified by sensitivity, criticality, or both.

Sensitivity : is commensurate with the losses to an organization if that information was revealed to unauthorized individuals.

Criticality : is an indicator of how the loss of the information would impact the fundamental business process of the organization.

Some criteria parameters an organization may use to determine the sensitivity of data :

  • The usefulness of data
  • The value of data
  • The age of data
  • The level of damage that could be caused if the data were disclosed
  • The level of damage that could be caused if the data were modified or corrupted
  • Legal, regulatory, or contractual responsibility to protect the data
  • Effects the data has on security
  • Who should be able to access the data
  • Who should maintain the data
  • Who should be able to reproduce the data
  • Lost opportunity costs that could be incurred if the data were not available or were corrupted

The classification rules must apply to data no matter what format it is in : digital, paper, video, fax, audio, and so on.

Classification procedures

  1. Define classification levels.
  2. Specify the criteria that will determine how data is classified.
  3. Identify data owners who will be responsible for classifying data.
  4. Identify the data custodian who will be responsible for maintaining data and its security level.
  5. Indicate the security controls, or protection mechanisms, required for each classification level.
  6. Document any exceptions to the previous classification issues.
  7. Indicate the methods that can be used to transfer custody of the information to a different data owner.
  8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian.
  9. Indicate procedures for declassifying the data.
  10. Integrate these issues into the security awareness program so all employees understand how to handle data at different classification levels.