Domain 2: Asset Security … Complete Guide

An Asset is something which has any worth to an Organization. It includes people, partners, equipment, facilities, reputation, and information. A through details on Asset was discussed in Domain 1: Security & Risk Management also in our previous blog. Refer to mentioned hyperlink for more details.

As discussed in previous blogs in the context of Risk Management While every asset needs to be protected, this blog focuses on protecting information assets. Information/Data is typically the most valuable asset and lies at the center of every information system, so precision focus on its protection makes much sense.

  • Information Life-cycle
  • Define Sensitive Data
  • Need for classification and its Procedure
  • Identify Data role
  • Data Security Policy
  • Understanding different Data states and their Protection mechanism
  • Labeling Sensitive Data
  • Storing Sensitive Data
  • Destroying Sensitive Data
  • Data Retention
  • Data Protection with Encryption
  • Selecting Security controls – Standard
  • Selecting Security controls – Baseline
  • Selecting Security controls – Configuration/Change/Patch Management

Let’s understand – What is “Information” – In simple words; we can say “A Data that is combined to form some meaning.” Once information is created; It goes through complete life-cycle in an Organization. Hence, we will begin with Information life-cycle. Data goes through multiple phases. Therefore, the CIA should be ensured at every step.

To address the CIA effectively and economically, We need to understand sensitive Information for the interest of our Organization.

Thus, the first step in Asset Security is to Classify and Label the asset.

Refer to below mindmap for Information Life-cycle, Sensitive Data, Data Classification, and Its Procedure.

Please note: Category of Data Classification is not discussed here. For such details, please refer to our previous blog on Data Classification as discussed in Domain 1: Security & Risk Management.

Once we have classified Data and Assets, It is imperative to understand the Roles and Responsibility of different Individual’s, importance of Data Security Policies & different states of data in the Organization

Please note: Different Roles and responsibilities are not discussed here. For such details, please refer to our previous blog on Organizational Roles and Responsibilities as discussed in Domain 1: Security & Risk Management.

Next step is to understand how to Label, Store & destroy any sensitive information Asset.

Beginning with where we left off, let’s understand “Data Retention Policy” & some of the security controls used for Protecting Sensitive Assets and Data.

Case Study: PII data on a SQL server

Suppose an organization stores all the PII data it retains on a SQL server located on the organization’s demilitarized zone (DMZ). If the organization decides to replace the SQL server with a new Windows Server 2016 computer, it will be necessary to take back up the PII from the old server and restore it to the new server. Also, the organization may want to retain the backup of the PII and store it in a safe or other secure location, in case the organization should ever need it. Then the organization must ensure that the PII cannot be retrieved from the hard drive on the old server. Thus may require physical destruction of the hard drive.

Organizational Roles and Responsibility

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization.

The following roles are presented in the logical order in which they appear in a secured environment:

Apart from these, Auditor is another role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Case Study:

For example, say that a data owner requests more room on a system for the storage of data. The data owner strongly believes that the new data being collected will help the sales team be more efficient. However, storage on the system owner’s asset is at a premium. The system owner is unwilling to allow the data owner to use the amount of space he has requested. In this case, the business/mission owner would need to review both sides and decide whether collecting and storing the new data would result in enough increased revenue to justify the cost of allowing the data owner more storage space. If so, it may also be necessary to invest in more storage media for the system or to move the data to another system that has more resources available. But keep in mind that moving the data would possibly involve another system owner.

Security professionals should always be part of these decisions because they understand the security controls in place for any systems involved and the security controls needed to protect the data. Moving the data to a system that does not have the appropriate controls may cause more issues than just simply upgrading the system on which the data currently resides. Only a security professional is able to objectively assess the security needs of the data and ensure that they are met.

Data Classification … Why? What? How?

The First question that comes to my mind is “why do we need Data Classification” is it required? Or if it is required “What would be the Criteria to classify the Data in my environment” and last would be “How do we Implement this”.

An answer to this question is YES. Because some DATA need more security than other data. Hence, it is inefficient to treat all data the same way when designing and implementing a security system.

More sensitive data, such as human resources or customer information, can be classified in a way that shows that disclosure has a higher risk. Information data, such as those used for marketing, would be classified as a lower risk. Data classified at a higher risk can create security and access requirements that do not exist for lower risks, which might not require much protection altogether.

Data classification helps ensure that the data is protected most cost-effectively.

The classification is different in every company, but in general, there are two main groups:

Now, we understand the importance of Data Classification. Immediate question would be What would be the Criteria to classify the Data into the categories as mentioned above? Below are some of the general consideration points that can be utilized for classification of Data.

Data Classification Criteria

After the classification scheme is identified, the organization must create the criteria for setting the classification. No established guidelines exist for setting the requirements, but some considerations are as follows:

  • Who should be able to access or maintain the data?
  • Which laws, regulations, directives, or liability might be required in protecting the data?
  • For government organizations, what would the effect on national security be if the data were disclosed?
  • For non-government organizations, what would the level of damage be if the data was disclosed or corrupted?
  • Where is the data to be stored?
  • What is the value or usefulness of the data?

And the final step would be “How do we Implement this”? Refer to the below steps to implement Data classification in your organisation.

Data Classification Procedures

  1. Identify Data custodian responsible for maintaining data and its security level and define responsibilities
  2. Specify the criteria of how the information will be classified and labelled.
  3. Specific the owner set of the classification
  4. Document exceptions
  5. Select the security controls that will be applied to each classification level.
  6. Procedures to declassifying the data
  7. Create Security awareness program

Case Study:

Data that is top secret includes weapon blueprints, technology specifications, spy satellite information, and other military information that could gravely damage national security if disclosed. Data that is secret includes deployment plans, missile placement, and other information that could seriously damage national security if disclosed. Data that is confidential includes strength of forces in the United States and overseas, technical information used for training and maintenance, and other information that could seriously affect the government if unauthorized disclosure occurred. Data that is sensitive but unclassified includes medical or other personal data that might not cause serious damage to national security if disclosed but could cause citizens to question the reputation of the government. Military and government information that does not fall into any of the four other categories is considered unclassified and usually has to be granted to the public based on the Freedom of Information Act.