What's your process for identifying the most critical information assets?

Not all scopes are born equal. Let's think about that for a moment and add some challenge; 1. We need to move our thinking on from a traditional scope; why? 2. Because there are so many dependencies now for applications as an example. Containers, cloud config etc. 3. We need to really determine whats is in the attack chain. No point in having a secure application on an insecure cloud config or container! I have seen too many applications breached because the scope was not necessarily correct. We need to think about the full chain and dependencies therein.

Very first step is to have detailed inventory of all information assets within the defined scope and categorize assets based on their type (e.g., servers, workstations, database) and their location (e.g., on-premises DC, DR, cloud). Identify data in each asset and how important this is to org like High confidentiality assets include personal data, trade secrets, and intellectual property. Engage with key stakeholders/ business owners to gather insights on the importance of different assets to the organization's mission and objectives. Conduct a BIA to understand the impact of losing access to each asset. Consider financial loss, legal implications, operational disruption, and reputational damage.

Clearly define the purpose of identifying critical information assets. Focus on understanding what needs protection to ensure business continuity, compliance, and risk management. Create a comprehensive list of all information assets. Include hardware, software, data repositories, networks, and intellectual property. Categorize assets based on their type and function. Classify data based on confidentiality, integrity, and availability requirements. Engage with business leaders, IT, legal, and compliance teams. Prioritize assets based on their assessed criticality. Use a scoring system or matrix to rank assets.

In my experience, identifying critical information assets involves a meticulous process starting with defining the scope, categorizing assets based on type and function, assessing their importance and risk, documenting all details, and regularly reviewing and updating the asset list. This ensures we prioritize protection efforts effectively, focusing on what truly matters to our organization 's mission and objectives

When evaluating the criticality of business processes, we can consider using three criteria: Business failure, Financial loss, and Reputational damage. Additionally, incorporating the CIA triad (Confidentiality, Integrity, and Availability) can provide a more comprehensive assessment of information systems. However, integrating the CIA triad into this criteria set requires careful consideration to avoid overburdening organizational units involved in the process.

This is best considered with respect to a threat model and informed by business and business risk priority. Take input here and consider "what are we trying to prove / protect". This categorisation thus becomes structured in its priority and focus can be given to the core assets that need attention. I would also like to offer another challenge; not everything needs A-Z testing because it excludes the ability to look at other assets. It is valid, as long as the business is comfortable, to have "shorter looks" and perhaps look wider. We can then drill into core areas of risk where required. Not all things need all testing as that often results in the exclusion of other parts of the necessary scope.

A really great trick here is to not only rely on system-derived information. But to ask people. I have learned never to underestimate the power of the undocumented and this sits in people - tacit knowledge! Then we can also use a threat model to follow the journey in systems to discover such assets. Too often people lean too heavily on tools to do this. Tools have their place and do indeed hold so much capacity for meta data around assets. But if they don't know that an asset exists then we cannot have the tool document it. Another factor to consider is this is not a won and done; its an iterative process and documentation is an ever evolving process.

Identifying critical information assets involves several steps. First, assess the organization's goals and objectives to understand what data is essential for operations. Then, analyze the potential impact of loss or compromise on confidentiality, integrity, and availability. Next, consider regulatory requirements and industry standards to pinpoint sensitive information. Additionally, evaluate the dependencies of various systems and processes on specific data. Finally, collaborate with stakeholders across departments to gain insights into their information needs and priorities. This holistic approach ensures that the most critical information assets are identified, safeguarded, and prioritized effectively.

Take a look at your business processes and understand why you are using certain assets. An asset does not exist in isolation, it should always be connected to a business process. While it may be easy to determine the requirements for confidentiality and integrity of information by considering applicable laws and the harm that disclosure can cause, you need more context to determine the need for an asset to be available. Analyze the impact of the information asset no longer being available and consider what this would mean for your business. There is a reason why ransomware attacks can be so lucrative even without the threat of disclosure: some information is so important that companies can choose between paying or going out of business.