This is the first Nugget in the series 'Cyber Security Awareness Month 2017'. It is important to identify and classify your Information Assets before the necessary security measures...
Scanning the Internet for External Cloud Exposures via SSL Certs
Identify and Classify your Information Assets
1. Cyber Security Awareness Month:
Nugget 1
Identify and Classify your Information
Assets
Chinatu Uzuegbu
Cyber Security Consultant
CISSP, CISM, CISA, CEH, ITIL, MCSE
2. Identify and Classify your Information Assets:
Quotable Quotes
• The degree of Value you place on your
assets determines the level of protection
you would commit to such Assets.
• Think Value before Security.
• The Value you attach to anything in life
would either motivate or demoralise you to
further positive or negative actions towards
that thing.
• The driving force or zeal exhibited on
securing any Asset/Resource is dependent
on the Value attached to it.
3. Identify and Classify your Valuable Asset:
What is an Asset?
• An Asset is any desirable and good quality item with an
exchangeable Value. It is an item of ownership convertible
into cash; total resources of a person or business.
• An Asset is that data, application, System, Server,
Database, Financial Info, Mobile Phone, Laptop, Network
and communication Infrastructures, Goodwill , cash and
others valuable to you as a person, corporate firm and
Government.
• The level of Value and Importance you attach to each
Asset classifies it as either high or Low.
• An Asset is highly valued if it is such that you cannot do
without. You would need to go the extra mile in securing it
from any form of attack or destruction.
4. Identify your Valuable Assets:
Cyber Security Process Begins Here...
• Any successful Cyber Security program must
begin with Identifying your critical Information
Assets. That is, those Assets that the Business,
Government or Person actually need to keep
running.
• This could be achieved using an Impact Analysis
and Risk Assessment Techniques, that is,
analysing how much loss the business,
Government or person would incur if for any
reason the Asset is destroyed or tampered with.
• The impact analysis would ascertain a clearer
picture in identifying the actual Assets required.
5. Classify your Valuable Assets:
Identified! But to what degree?
• The next step after identifying your critical Information
Assets is to classify the identified Assets.
• The classification of each Asset is determined from the
result of the impact analysis with the Asset owners.
• All Stakeholders of the Assets supposedly members of the
Cyber Security Steering Committee would establish the
thresholds and define the categories in the classification
process.
• The Categories could be: Highly Secret, Secret, Private,
Confidential, Public.
• Each of the identified Assets would now be classified
under any of the above categories based on the level of
value placed on it.
6. The CIA Triad:
Confidentiality, Integrity and Availability
• It is now time to secure the Assets based on their
classification levels using the concept of Confidentiality,
Integrity and Availability(CIA Triad).
• Cyber Security Measures are by best practice tailored
around the concept of the CIA triad.
• Confidentiality assures that the Information Assets are
secured and protected from unauthorised disclosure.
• Integrity assures the accuracy of Information and that
Information is protected from unauthorised
modifications.
• Availability assures that Information is accessible and
timely to the authorised Users as and when required.
7. Building The Cyber Security Culture
• The journey to building the Cyber Security Culture
begins with the concept of the CIA Triad.
• The Administrative, Technical and Physical Security
Measures which we would look at in the
subsequent nuggets are also tailored around the
concept of the CIA Triad.
• The Administrative, Technical and Physical Security
Measures are implemented from the preventive,
detective, recovery, corrective and deterrent points
of view.
• Going forward we would be looking at the various
types of attacks and how they can be mitigated
using the above techniques and approach.
8. In Summary
This Nugget may sound a bit technical to most of us here, you may not need to worry
much but grab this :
• To build a successful Cyber Security Culture, you must first Identify and
Classify your Critical Assets as a Business, Government, Non-profit
Organisation or private individual.
• The identification and Classification of Assets could be achieved using the
Impact Analysis and Risk Assessment Techniques.
• The Classification Levels must be defined by the key Stakeholders which
would be a make-up of the Asset Owners and driven from the Top Level
Management.
• Security measures and cultures are tailored around the concept of the
Confidentiality , Integrity and Availability(CIA Triad) of the Information
Assets.
• Administrative, Technical and Physical security measures are applied
from the preventive, detective, recovery, corrective and deterrent points of
view .
• Understanding the above concept would help in building a layered and
seamless security measures around our Information Assets.
• We would be looking at the various attack types and how they could be
mitigated using the above techniques in the subsequent Nuggets.
• We hope this helps.....
9. See You in the Next Nugget!
Thank You
Chinatu Uzuegbu
CISSP, CISM, CISA, CEH, ITIL, MCSE