Embed Size (px)
Citation preview
Cyber Security Awareness Month:Nugget 1
Identify and Classify your Information
Assets
Chinatu UzuegbuCyber Security Consultant
CISSP, CISM, CISA, CEH, ITIL, MCSE
Identify and Classify your Information Assets:
Quotable Quotes• The degree of Value you place on your
assets determines the level of protection you would commit to such Assets.
• Think Value before Security.
• The Value you attach to anything in life would either motivate or demoralise you to further positive or negative actions towards that thing.
• The driving force or zeal exhibited on securing any Asset/Resource is dependent on the Value attached to it.
Identify and Classify your Valuable Asset:
What is an Asset?
• An Asset is any desirable and good quality item with an exchangeable Value. It is an item of ownership convertible into cash; total resources of a person or business.
• An Asset is that data, application, System, Server, Database, Financial Info, Mobile Phone, Laptop, Network and communication Infrastructures, Goodwill , cash and others valuable to you as a person, corporate firm and Government.
• The level of Value and Importance you attach to each Asset classifies it as either high or Low.
• An Asset is highly valued if it is such that you cannot do without. You would need to go the extra mile in securing it from any form of attack or destruction.
Identify your Valuable Assets:Cyber Security Process Begins Here...
• Any successful Cyber Security program must begin with Identifying your critical Information Assets. That is, those Assets that the Business, Government or Person actually need to keep running.
• This could be achieved using an Impact Analysis and Risk Assessment Techniques, that is, analysing how much loss the business, Government or person would incur if for any reason the Asset is destroyed or tampered with.
• The impact analysis would ascertain a clearer picture in identifying the actual Assets required.
Classify your Valuable Assets:Identified! But to what degree?
• The next step after identifying your critical Information Assets is to classify the identified Assets.
• The classification of each Asset is determined from the result of the impact analysis with the Asset owners.
• All Stakeholders of the Assets supposedly members of the Cyber Security Steering Committee would establish the thresholds and define the categories in the classification process.
• The Categories could be: Highly Secret, Secret, Private, Confidential, Public.
• Each of the identified Assets would now be classified under any of the above categories based on the level of value placed on it.
The CIA Triad:Confidentiality, Integrity and Availability
• It is now time to secure the Assets based on their classification levels using the concept of Confidentiality, Integrity and Availability(CIA Triad).
• Cyber Security Measures are by best practice tailored around the concept of the CIA triad.
• Confidentiality assures that the Information Assets are secured and protected from unauthorised disclosure.
• Integrity assures the accuracy of Information and that Information is protected from unauthorised modifications.
• Availability assures that Information is accessible and timely to the authorised Users as and when required.
Building The Cyber Security Culture• The journey to building the Cyber Security Culture
begins with the concept of the CIA Triad.
• The Administrative, Technical and Physical Security Measures which we would look at in the subsequent nuggets are also tailored around the concept of the CIA Triad.
• The Administrative, Technical and Physical Security Measures are implemented from the preventive, detective, recovery, corrective and deterrent points of view.
• Going forward we would be looking at the various types of attacks and how they can be mitigated using the above techniques and approach.
In SummaryThis Nugget may sound a bit technical to most of us here, you may not need to worry
much but grab this :
• To build a successful Cyber Security Culture, you must first Identify and Classify your Critical Assets as a Business, Government, Non-profit Organisation or private individual.
• The identification and Classification of Assets could be achieved using the Impact Analysis and Risk Assessment Techniques.
• The Classification Levels must be defined by the key Stakeholders which would be a make-up of the Asset Owners and driven from the Top Level Management.
• Security measures and cultures are tailored around the concept of the Confidentiality , Integrity and Availability(CIA Triad) of the Information Assets.
• Administrative, Technical and Physical security measures are applied from the preventive, detective, recovery, corrective and deterrent points of view .
• Understanding the above concept would help in building a layered and seamless security measures around our Information Assets.
• We would be looking at the various attack types and how they could be mitigated using the above techniques in the subsequent Nuggets.
• We hope this helps.....
See You in the Next Nugget!
Thank You
Chinatu UzuegbuCISSP, CISM, CISA, CEH, ITIL, MCSE
