Secured View - Asset Classification and Control
Identifying and classifying assets

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets? by Avinash Kadam

In this series on Information Security Management System, we have so far discussed Security policy writing and Security organization structure. Security policy is essential, since it shows the management's commitment to the subject of information security, and establishes an outline giving clear direction in this matter. Security organization creates an administrative infrastructure defining roles and responsibilities of various participants who are entrusted with the responsibility of implementing and monitoring various aspects of information security.

The task of identifying assets that need to be protected is a less glamorous aspect of information security. But unless we know these assets, their locations and value, how are we going to decide the amount of time, effort or money that we should spend on securing the assets?

The major steps required for asset classification and controls are:

A. Identification of the assets

B. Accountability of assets

C. Preparing a schema for information classification

D. Implementing the classification schema

A. Identification of assets
What are the critical assets? Suppose your corporate office was gutted in a major fire. Coping with this level of disaster will depend on what critical information you previously backed up at a remote location. Another nightmarish scene is that a hacker entered your network and copied your entire customer database. What impact will this have on your business?

Identifying the critical assets is essential for many reasons. You will come to know what is critical and essential for the business. You will be able to take appropriate decisions regarding the level of security that should be provided to protect the assets. You will also be able to decide about the level of redundancy that is necessary by keeping an extra copy of the data or an extra server that you should procure and keep as a hot standby.

Next question that we need to ponder upon is: What exactly is an information asset? Is it the hardware, the software, the programs or the database?

We can broadly classify assets in the following categories:

1. Information assets
Every piece of information about your organization falls in this category. This information has been collected, classified, organized and stored in various forms.

Databases: Information about your customers, personnel, production, sales, marketing, finances. This information is critical for your business. It's confidentiality, integrity and availability is of utmost importance.

Data files: Transactional data giving up-to-date information about each event.

Operational and support procedures: These have been developed over the years and provide detailed instructions on how to perform various activities.

Archived information: Old information that may be required to be maintained by law.

Continuity plans, fallback arrangements: These would be developed to overcome any disaster and maintain the continuity of business. Absence of these will lead to ad-hoc decisions in a crisis.

2. Software assets
These can be divided into two categories:

a) Application software: Application software implements business rules of the organization. Creation of application software is a time consuming task. Integrity of application software is very important. Any flaw in the application software could impact the business adversely.

b) System software: An organization would invest in various packaged software programs like operating systems, DBMS, development tools and utilities, software packages, office productivity suites etc.

Most of the software under this category would be available off the shelf, unless the software is obsolete or non-standard.

3. Physical assets
These are the visible and tangible equipment and could comprise of:

a) Computer equipment: Mainframe computers, servers, desktops and notebook computers.
b) Communication equipment: Modems, routers, EPABXs and fax machines.
c) Storage media: Magnetic tapes, disks, CDs and DATs.
d) Technical equipment: Power supplies, air conditioners.
e) Furniture and fixtures

4. Services

a) Computing services that the organization has outsourced.
b) Communication services like voice communication, data communication, value added services, wide area network etc.
c) Environmental conditioning services like heating, lighting, air conditioning and power.

B. Accountability of assets
The next step is to establish accountability of assets. This is not difficult for the tangible assets like physical assets. Usually the organization will have a fixed assets register maintained for the purpose of calculating depreciation.

A more difficult task is establishing ownership for the information assets. There will be a number of users for these assets. But the prime responsibility for accuracy will lie with the asset owner. Any addition or modification to the information asset will only be done with the consent of the asset owner. For example, any changes to customer information will be done with the knowledge and consent of the marketing head. Information technology staff will probably make the changes, physically. But ownership clearly lies with the business head who has the prime responsibility for the content in the customer database.

Using these criteria, we have to identify the actual owners of each of the information assets. This is also an important step for one more reason. Only an owner of the asset will be able to decide the business value of the asset. Unless the correct business value of the asset is known, we cannot identify the security requirement of the asset.

The next step is identifying owners of the application software. Application software implements the business rules. As such the business process owner should be the owner of application software. But the responsibility of maintaining application software to accurately reflect business rules will be vested with the application developers. As such, the accountability for application software should be with the application development manager.

System software ownership could be with the appropriate persons within the IT team. The owner of these assets will be responsible for maintaining all the system software including protecting the organization against software piracy.

Assets valuation
What is the value of an asset? Like beauty, which is in the eyes of the beholder, an asset's value is best known to the asset owner. It may not be merely the written down value. A more realistic measure is the replacement value. How much is it going to cost if the asset has to be acquired today? Accurate valuation of an information asset is a tricky task. Due care must be taken. A seemingly small item may be immensely difficult to replace today.

True value of the asset will lead us to identify realistic measures needed for protection of the asset.

C. Preparing a schema for classification
The next task is to create classification levels. The criteria for the classification of assets could be:

1. Confidentiality: Can the information be freely distributed? Or do we need to restrict it to certain identified individuals?
2. Value: What is the asset value? Is it a high value item, costly to replace or a low value item?
3. Time: Is the information time sensitive? Will its confidentiality status change after some time?
4. Access rights: Who will have access to the asset?
5. Destruction: How long the information will be stored? How can it be destroyed, if necessary?

Each asset needs to be evaluated against the above criteria and classified for easy identification. Let us look at each category for classification.

Confidentiality could be defined in terms of:

a) Confidential: Where the access is restricted to a specific list of people. These could be company plans, secret manufacturing processes, formulas, etc.
b) Company only: Where the access is restricted to internal employees only. These could be customer databases, manufacturing procedures, etc.
c) Shared: Where the resources are shared within groups or with people outside of the organization. This could be operational information and contact information like the internal telephone book to be shared with business partners and agents.
d) Unclassified: Where the resources are publicly accessible. For example, the company sales brochure and other publicity material.

Classification based on value could be high, medium or low value. A detailed explanation should be prepared giving the reasoning for this classification. A critical component costing a few rupees may be a very high value item as it is not easily available and could stop the production of a high cost item.

Access rights need to be defined for individuals as well as groups. Who is cleared to access confidential information in the organization? And who decides the access rights? Logically, it will be the asset owner who will decide these access rights.

Destruction should be a scheduled and controlled activity. The information that is no longer needed by the company but which could still be useful to competitors, should be destroyed as per a pre-decided schedule and method—depending on the confidentiality classification. For information recorded on hard disk, mere deletion of files does not obliterate information. A more stringent procedure like multiple overwriting may be needed.

Classification schema should lead to an implementable structure. It should be simple to understand and identify.

D. Implementation of the classification schema
The real test of classification schema is when it is implemented. Information is a fluid resource. It keeps changing its form. The implementation should lead to a uniform way of identifying the information so that a uniform protection could be provided.

Let us take an example. A company's business plan is a confidential document. Let us trace its journey in the corporate world.

The plan will be discussed behind closed doors, known to only a few senior members. In the next step the final plan will be prepared and stored on the MD's computer or that of his secretary. A soft copy of this plan would be sent by email to all executives who need to refer to it. The hard disk of every computer where the plan is stored will also have a backup copy on floppy or other media. Each member will no doubt print it and keep a hard copy folder for reference. An extra copy will also be prepared using the copying machine. If the email is not available, the plan would be sent by fax, post or courier.

So the 'confidential' plan is now distributed across the organization, available on the hard disks of computers belonging to each secretary and each senior executive. You get the general idea. If this can happen to confidential information, imagine how easy it is to get hold of other types of information. The information explosion has given rise to proliferation of information in every nook and corner of the organization.

A practical implementation of classification schema thus becomes very important. The classification label should not give an easy way of identification, which could be misused. It should provide the right amount of protection.

In the example given above, each and every asset where the confidential information is residing or transiting through will have to be given the same classification level as that of the information itself.

It may be desirable to altogether avoid transmission of confidential documents in soft copy format, for example as an attachment to email. Only a restricted number of hard copies should be circulated. If it is necessary to carry the soft copies, everyone should be instructed to encrypt information for transmission and storage, and to memorize their passwords and keep them secret.

Asset classification is thus the key to various security controls that need to be implemented for asset protection.