Understanding information assets
Definition of information assets
Well, that’s easy, there isn’t one, well at least not one universally accepted definition. ISO/IEC 27000:2018 Overview and vocabulary refers to ‘information asset’ 33 times, but never actually defines it. A frequently (ab)used definition of an information asset is ‘everything that has a value to the organisation’. This is the point when your facilities manager starts counting chairs and desks.
So, is there anything out there that is a bit more illuminating? It’s a bit wordy, but we quite like the National Archives (2017) definition of an information asset as ’ … a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently.
Information assets have recognisable and manageable value, risk, content and lifecycles.’
Information asset incorporate information security governance
Organisations that are endeavouring to implement an information security management system (ISMS), will already have attempted to identify their information assets. Many will already have an asset register in place and will have an idea of the information security requirements pertaining to the ISMS implementation. Key aspects to be defined in the information security governance for information assets are:
• Asset type
• Asset owner
• Asset classification
• Asset location
• Asset impact levels to (C)onfidentiality, (I)ntegrity and (A)vailability
Asset identification needs to be completed as an organisation-wide exercise. A basic segregation of information assets for the entire organisation is as follows:
- Information assets
- Intangible assets (e.g. brand and reputation)
A common method of identifying assets is to conduct interviews with departmental heads and produce a list of assets as presented by those managers. However, from a governance perspective, it is the responsibility of the information security professional to ensure that managers have a clear understanding of what constitutes an information asset, its relevance within a corporate governance structure and how identified information assets need to be managed.
Let us take the example of a simple asset, a laptop:
• This asset has a monetary value to the organisation – it’s probably a well known and reputable brand that has been procured.
• Laptops are issued, generally, by the IT department and this is where we would expect to find a list of the laptops issued throughout the organisation.
• Laptops naturally offer a flexible working pattern, enabling you to work remotely, i.e. from home, cafes, trains, airports, etc.
• Employees will store, process and transmit all sorts of information on these laptops in order to perform their legitimate duty.
Naturally, the types of information being stored, communicated, processed or accessed by laptops are going to vary considerably across the organisation, as per Figure 1..
Identifying asset owner
In the process of identifying asset owners, it is important to identify a functional role that has oversight of specific types of assets. Asset owners are responsible for: Identifying risks to the asset type
• Providing guidance and instructions on how the asset should be used.
• Identifying levels of protection required depending on the asset classification.
• Implementing and verifying the effectiveness of security controls in respect of that asset type.
With the laptop example, the logical owner would be the IT Manager. The rationale being that the IT Manager has complete control over this type of asset, including for ingress, degress, maintenance, etc. Sometimes, organisations assign asset ownership to a department rather than a role, e.g. the IT Department. This practice, however, should be avoided wherever possible, as it is nigh on impossible to establish collective responsibility.
Depending on the organisational structure, it would typically be the asset owner who would decide asset classification. The classification must be approved by top management and the criteria for protection of assets must be in line with their criticality.
If in doubt, ask yourself ‘What if’ for the particular asset you are responsible for. During this process, paranoia may lead to exaggerated classification, but it is a learning process. It is important to get the right balance, however, as under-classification could lead to unauthorised disclosure or access and over-classification (i.e. too much security) could lead to a loss of availability.
As presented in Figure 2., the IT Manager must consult the business to evaluate what level of protection should be applied to laptops. For illustrative purposes, let’s consider an organisation which has adopted three levels of classification; confidential, restricted and public (Figure 2.). In this scenario, the IT Manager will evaluate what is the highest classification requirement for laptops in each functional area and apply security controls in accordance with that requirement.
So, the real key is to understand what the laptop will be used for, and its classification will be inherited from the classification of the information accessed through it, stored on it or processed by it.
As with classification, impact levels are assigned by the asset owner. Determining the impact levels of assets can be relatively complex and we will address this in more detail in a future blog. However, in terms of the impact level associated with our laptops, again it is inherited from the information.
For example, if our laptop is to be used by someone who works in HR, it is highly likely that the information which the laptop is exposed to has a high impact value. After all, it is likely to include personally identifiable information which is subject to data protection legislation. Consequently, our laptop will inherit that high impact value. Once this assessment has been made, the asset owner can implement the appropriate controls to protect the laptop.
Finally, but not certainly not least, it is important for any organisation to understand what it has under its control in terms of its information assets and other supporting assets. Without this information, it will be almost impossible to ensure that the appropriate levels of protection are being implemented. We suggest developing an asset register which includes the following details :Asset name
• Asset type
• Asset owner
• Asset classification
• Asset location
• Asset impact levels