Information Asset Management

Part 2 – Defining Information Asset Groups

Steve Simpson CISSP

 Defining the Information Asset Groups and Impacts

Introduction
Following on from the previous document you should now have a really good idea of
what information assets are and have identified those which are important to the
running of your business. As previously stated, the chances are that there is now a
list that is well in excess of twice that which was originally estimated. In fact there
could well to be a potentially enormous quantity of data that has been identified.
This information is most likely being protected at various levels and to various
degrees if indeed it is being protected at all. It is also likely that the protection being
given has more to do with where the information is stored rather than being based
upon a calculated risk assessment having been carried out. The information needs to
be protected but it is unlikely to require the same level of protection across the board.
This would not be practical, effective or economical to achieve. Financial information
regarding a contract being established with a potentially new client needs a different
level of protection to the stationary order for the finance department. Yet both are
information assets, both originated from the same broad group (computer on-line
based records), both are likely to be stored in the same file system on the computer,
and both may even be accessible by the same group of users (finance branch staff).
This exaggerated example shows that the broad groups used in the first document
are adequate as a means of being thought provoking in the process of gathering
details about the information assets, but are not sufficient to assess the security risks
or necessary protection to those assets.
Therefore further groupings must be established that link the information assets by
the way that they need to be protected. From a risk management perspective the
best way to group assets for risk evaluation is to place them in groups where the
sensitivity of the information is the same and the impact should the information be
compromised is the same. The actual groupings used by an organisation will depend
upon their core business and could vary widely from company to company. However,
some suggested information asset groups might include:
 Personnel information – Information containing personal details of the type
which is likely to be included within national legislation or which would be useful
to anyone attempting identify theft type attacks.
 Financial information – Information containing details of a financial nature
personnel salary, contract information or corporate standing. This group could
include various sub groups if the impact of the compromise of such information is
not equal.
 Contract information – Information of a contractual sensitive nature which
would be of value to business competitors.
 Business IP (Business critical data) – This information group would contain
your core business information assets (such as a brewers secret beer recipe, or a
software companies source code).
 Management information – Information on management related topics, not
intended for distribution to persons below management level.
 Board specific information – Information on corporate board specific topics,
not intended for distribution to persons not part of the executive board.

Page 2 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

  Technical information – Information of a technical or system nature that could
be of invaluable use to potential hacker (external or internal).
 Production data – information specific to the processes of a manufacturing or
utility organisation
 Design data – information relating to specific designs (although this could be
included within the Business IP group)
 Admin or general information – Information that contains general items that
would not have any particularly damaging effects if compromised.

Assessing the value of an asset group

Each information asset now needs to be allocated an owner, in most cases there will
be a simple and logical choice of owner (often the creator of the information) but
there will also be those that require a little more thought than the others do. The
asset owner must be aware that that they are the owner (sounds simple but there
have been occasions where the owner of a piece of information has not been aware
of this responsibility). The owner needs to have a reason for owning the asset and
must understand the content and value of the asset.
Before an asset can be valued, there needs to be a standardised measure of value.
The generation of such metrics is likely to require the development of an
organisational asset value plan, this will require a considerable amount of thought,
discussion and yet again, interdepartmental collaboration.
In order for the agreed value to be of most use, it is worth considering tying this value
to the level of impact for that item of information. Impact in this sense is a rating of
the damage that the release of that piece of information would have on the
organisation should the information inadvertently be compromised or become public
knowledge.
Governments and Defence organisations have got this right (how often does anyone
get to say that), where the assessment of the value and impact of information assets
are concerned. Most people will have come across the classification or protective
marking system which generally grades information as falling into one of these
groups:
 Unclassified
 Restricted
 Confidential
 Secret
 Top Secret
One of these values is associated with every information asset item within a
Government or Defence organisation. To take this even further in organising and for
ease of identification, each of the information asset items is required to be labelled
with its given value. This is a great visible aid when calculating the risks to each
asset.
No one is going to suggest that all organisations should adopt an information valuing
system as rigid as this but it is worth looking at to see how Government and Defence
organisations calculate the value of a piece of information. Each information asset is
evaluated (usually during its creation) and at any time that it is modified to establish

Page 3 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

what the consequences would be if that piece of information was released outside of
its intended target environment.
A greatly simplified explanation example for this process could be that if there were
no real consequences of an item of information being released or if the information is
already public knowledge, then that piece of information can be assessed as having
a value of Unclassified. However at the other end of the scale, if the release of an
information asset could potentially put a person’s life in jeopardy then the value
would have to be much higher and therefore is likely to be classified as Top Secret.
Obviously not all valuations would be so straightforward but this should give you
some idea of how the value of information assets can greatly vary, and how criteria
for the allocation of values could be developed.
This unfortunately and obviously does not directly equate to a corporate private
sector situation. It is unlikely (although not completely out of the question) that the
release of information could result in loss of life. A commercial enterprise is however
going to have huge concerns about critical business information leaking out from
their organisation, which could lose them their market share or their position at the
forefront of their industry.
It would not be practical or necessary for all organisations to develop a system
whereby it was mandatory for all their information assets to be categorised and
labelled. Linking a label specifically to an impact level in the simplified way described
above would be particularly difficult to achieve. It may therefore be more practical in
some cases to develop two systems; one for identifying restrictions to access and
therefore potentially to its storage, and a second for identifying the impact level.
Identification of restrictions to access is relatively straightforward and flexible to the
needs of any organisation. All organisations must have some information assets that
they consider to be sensitive in particular assets that fall into the category of business
IP (business critical information) are likely to require restrictions put on them.
Likewise most organisations will have information such as personal details that fall
into a category as requiring some protection by law or through the mandatory
compliance with other governance influences. It would be of great benefit to the
organisation if the information assets that fall into these categories could be easily
identified.
Again referencing the Government and defence information labling systems, there
are further categories that place further restrictions on the handling and distribution of
the information. These additional categories include such things as the ‘Eyes only’
type information so regularly emphasised in the movie industry and also the more
commonly seen ‘in-confidence’ range of markings. This is where an individual
organisation could benefit from selecting specific types of information asset and
introducing a marking and labelling system to identify them. Labels that match too
closely the Government and Defence classification system should be avoided
however, to prevent confusion, particularly by organisations that have dealings with
Government and Defence departments. This unfortunately counts out the label of
‘confidential’ as a standalone label but does not exclude other derivatives such as the
third suggestion below. Labels that may be of use to a corporate environment could
include:
 Board Only
 Management Only
 Business Confidential
 Personnel in Confidence

Page 4 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

  Contracts in Confidence
 Commercial in Confidence
 Finance in Confidence
There are far too many possibilities to list here but as long as the marking system is
standardised and understood throughout the organisation implementing it then
almost any marking can be used.
If an organisation chooses to implement such a system then a system of definitions
and boundaries needs to be established in order to regulate the use of the terms.
The following table shows a possible single example for such a system of definitions:

Information Label Impact on Confidentiality Restriction of Access

BOARD ONLY If the release of information Corporate board

beyond members of the board, members and authorised
could compromise the position of PA’s only.
the board or damage the
image/reputation of the
organisation.

Table 1

The above table shows a single example for a representative marking; however, it
only includes the impact on confidentiality. It may be necessarily for the impacts on
the availability and integrity of the information to be considered as well. A further
consideration would be the impact upon compliance as may be the case where
regulatory compliance is an organisational concern. This table also only includes a
column to define restrictions to on-line information aspects, other aspects which may
require consideration are restrictions to storage, means of distribution (handling) etc.
It is unlikely to be practical for each and every item of information to be physically
labelled. However it would be good policy to select the most sensitive items and
make the labelling of these assets mandatory for ease of control over the assets.
Policy regarding such labelling needs to be specific about ensuring that all removable
media items containing sensitive information assets has a physical label identifying it.
This allows for easy identification of such an asset when outside its normal
environment.

Assessing the Impact value of an asset

Whilst that takes care of categorising and handling instructions for the information
assets we are still in need of giving the assets a value for impact measurement
purposes. Here, further influencing factors must be considered that differ from the
way in which a Government or Defence organisation would view impact. A
commercial organisation will have to consider issues such as potential damage to
their brand name and to potential impact on share prices and market position.
The simplest means of applying a value to an asset is by associating a number in a
scale between 1 and 5. 1 being given to an asset where there is minimal or no
impact associated with the compromise of that information and 5 being given to an

Page 5 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

 asset where there is foreseen to be a large amount of impact resulting from the
compromise of that information.
In the same way that a table was drawn up for defining the allocation of security
related markings for information, a table is required here to define the differences
between the 5 levels of value. The actual table used needs to provide clear and
specific guidance for the allocation of these values. The table below gives a very
generic structure that would need considerable expansion to be of use and is only
shown here as a starter to provoke thought on how impact affects your business.
Much as I would hate to suggest that any organisation needs to have any even more
meetings than they already do have the defining and allocating of impact values is
best achieved in a committee type situation.

Value Rating Definition

5 Very High Impact of compromise of asset would cause grave damage to the
organisation.

4 High Impact of compromise of asset would cause serious damage to the

organisation.

3 Medium Impact of compromise of asset would cause detrimental damage

to the organisation.

2 Low Impact of compromise of asset would cause little damage to the

organisation.

1 Negligible Impact of compromise of asset would cause minimal damage to

the organisation.

Table 2

Once a plan has been developed to define impact levels, these levels can be
associated to the groups of assets defined earlier in this document rather than to the
extensive quantity of individual asset items that we identified in the first document.
Conclusion
It is never going to be easy taking such a large amount of information and
categorising it to the extent that it has a value, but it is a very worthwhile exercise all
the same. You will now have a much better picture of the value of information assets
and possibly more importantly have a much better idea of what impact the loss of
such assets would cause.
We are yet another step closer to being able to perform a meaningful risk
assessment that will greatly aid in providing you with the most cost effective security
plan for your business.

Page 6 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

 Page intentionally blank

Page 7 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,
vender neutral information security business advisory services. Services include:

 Data Loss Assessments – Data loss is a serious concern for all

organisations. Many organisations each year never manage to recover
from a security breach. Infosec Plus can provide you with assurance
through a holistic review of your business policies, processes and
procedures to establish where you may be susceptible to data loss
allowing you to establish where you may be susceptible to dat loss
allowing you to access the risks and apply targeted risk mitigation controls.
 Holistic Security Review – A holistic review of your organisations
information security including, technology, procedural, physical and
personnel security measures.
 Risk Assessment/Management – Assessing the risk from specific threats
will give you the ability to apply the most efficient and cost effective
security measures. The introduction of a risk management program can
considerably reduce operational costs.
 PCI Compliance Review – All organisations that store, process or transmit
credit card information must comply with the Payment Card Industries
Data Security Standard (PCI-DSS). Infosec Plus can guide you through
this process and provide you with the information you need to gain and
maintain compliance with this exacting standard.
 Security Awareness – The single most effective way to reduce data loss
and increase the security standing of your organisation is through the
introduction of a security awareness program. Infosec Plus can guide you
through the development of an awareness program and can provide one
to one or one to many training sessions to get the security message
across.
 Network Access Control – All organisations need to protect their valuable
business and personal data from the ever increasing need for system
interconnectivity. Infosec Plus can guide you through the process for
developing a Network Access Control policy that will allow day to day
business continue in the safest possible manner.
 Project Augmentation – If you are running or planning a project that needs
to include security representation, Infosec Plus can provide a consultant
to join your team providing expert security advice to ensure that the
project provides the security that your business information assets require.

Page 8 of 8

Steve Simpson – Principal Consultant Infosec Plus Consulting