An Asset is something which has any worth to an Organization. It includes people, partners, equipment, facilities, reputation, and information. A through details on Asset was discussed in Domain 1: Security & Risk Management also in our previous blog. Refer to mentioned hyperlink for more details.
As discussed in previous blogs in the context of Risk Management While every asset needs to be protected, this blog focuses on protecting information assets. Information/Data is typically the most valuable asset and lies at the center of every information system, so precision focus on its protection makes much sense.
- Information Life-cycle
- Define Sensitive Data
- Need for classification and its Procedure
- Identify Data role
- Data Security Policy
- Understanding different Data states and their Protection mechanism
- Labeling Sensitive Data
- Storing Sensitive Data
- Destroying Sensitive Data
- Data Retention
- Data Protection with Encryption
- Selecting Security controls – Standard
- Selecting Security controls – Baseline
- Selecting Security controls – Configuration/Change/Patch Management
Let’s understand – What is “Information” – In simple words; we can say “A Data that is combined to form some meaning.” Once information is created; It goes through complete life-cycle in an Organization. Hence, we will begin with Information life-cycle. Data goes through multiple phases. Therefore, the CIA should be ensured at every step.
To address the CIA effectively and economically, We need to understand sensitive Information for the interest of our Organization.
Thus, the first step in Asset Security is to Classify and Label the asset.
Refer to below mindmap for Information Life-cycle, Sensitive Data, Data Classification, and Its Procedure.
Once we have classified Data and Assets, It is imperative to understand the Roles and Responsibility of different Individual’s, importance of Data Security Policies & different states of data in the Organization
Please note: Different Roles and responsibilities are not discussed here. For such details, please refer to our previous blog on Organizational Roles and Responsibilities as discussed in Domain 1: Security & Risk Management.
Next step is to understand how to Label, Store & destroy any sensitive information Asset.
Beginning with where we left off, let’s understand “Data Retention Policy” & some of the security controls used for Protecting Sensitive Assets and Data.
Case Study: PII data on a SQL server
Suppose an organization stores all the PII data it retains on a SQL server located on the organization’s demilitarized zone (DMZ). If the organization decides to replace the SQL server with a new Windows Server 2016 computer, it will be necessary to take back up the PII from the old server and restore it to the new server. Also, the organization may want to retain the backup of the PII and store it in a safe or other secure location, in case the organization should ever need it. Then the organization must ensure that the PII cannot be retrieved from the hard drive on the old server. Thus may require physical destruction of the hard drive.