Académique Documents
Professionnel Documents
Culture Documents
Introduction
Following on from the previous document you should now have a really good idea of
what information assets are and have identified those which are important to the
running of your business. As previously stated, the chances are that there is now a
list that is well in excess of twice that which was originally estimated. In fact there
could well to be a potentially enormous quantity of data that has been identified.
This information is most likely being protected at various levels and to various
degrees if indeed it is being protected at all. It is also likely that the protection being
given has more to do with where the information is stored rather than being based
upon a calculated risk assessment having been carried out. The information needs to
be protected but it is unlikely to require the same level of protection across the board.
This would not be practical, effective or economical to achieve. Financial information
regarding a contract being established with a potentially new client needs a different
level of protection to the stationary order for the finance department. Yet both are
information assets, both originated from the same broad group (computer on-line
based records), both are likely to be stored in the same file system on the computer,
and both may even be accessible by the same group of users (finance branch staff).
This exaggerated example shows that the broad groups used in the first document
are adequate as a means of being thought provoking in the process of gathering
details about the information assets, but are not sufficient to assess the security risks
or necessary protection to those assets.
Therefore further groupings must be established that link the information assets by
the way that they need to be protected. From a risk management perspective the
best way to group assets for risk evaluation is to place them in groups where the
sensitivity of the information is the same and the impact should the information be
compromised is the same. The actual groupings used by an organisation will depend
upon their core business and could vary widely from company to company. However,
some suggested information asset groups might include:
Personnel information – Information containing personal details of the type
which is likely to be included within national legislation or which would be useful
to anyone attempting identify theft type attacks.
Financial information – Information containing details of a financial nature
personnel salary, contract information or corporate standing. This group could
include various sub groups if the impact of the compromise of such information is
not equal.
Contract information – Information of a contractual sensitive nature which
would be of value to business competitors.
Business IP (Business critical data) – This information group would contain
your core business information assets (such as a brewers secret beer recipe, or a
software companies source code).
Management information – Information on management related topics, not
intended for distribution to persons below management level.
Board specific information – Information on corporate board specific topics,
not intended for distribution to persons not part of the executive board.
Page 2 of 8
Page 3 of 8
Page 4 of 8
Table 1
The above table shows a single example for a representative marking; however, it
only includes the impact on confidentiality. It may be necessarily for the impacts on
the availability and integrity of the information to be considered as well. A further
consideration would be the impact upon compliance as may be the case where
regulatory compliance is an organisational concern. This table also only includes a
column to define restrictions to on-line information aspects, other aspects which may
require consideration are restrictions to storage, means of distribution (handling) etc.
It is unlikely to be practical for each and every item of information to be physically
labelled. However it would be good policy to select the most sensitive items and
make the labelling of these assets mandatory for ease of control over the assets.
Policy regarding such labelling needs to be specific about ensuring that all removable
media items containing sensitive information assets has a physical label identifying it.
This allows for easy identification of such an asset when outside its normal
environment.
Page 5 of 8
5 Very High Impact of compromise of asset would cause grave damage to the
organisation.
Table 2
Once a plan has been developed to define impact levels, these levels can be
associated to the groups of assets defined earlier in this document rather than to the
extensive quantity of individual asset items that we identified in the first document.
Conclusion
It is never going to be easy taking such a large amount of information and
categorising it to the extent that it has a value, but it is a very worthwhile exercise all
the same. You will now have a much better picture of the value of information assets
and possibly more importantly have a much better idea of what impact the loss of
such assets would cause.
We are yet another step closer to being able to perform a meaningful risk
assessment that will greatly aid in providing you with the most cost effective security
plan for your business.
Page 6 of 8
Page 7 of 8
Page 8 of 8