A guide to knowing your assets and avoiding a one size fits all approach to security
Have you ever found someone pushing a one size fits all approach to security? Standards are a useful guide but don’t explain what within any standard should be the priority for any given business. This guide (and the associated series) is intended to help you align your security program with your business needs.
A one size fits all approach to security results in under or over protection because you’re treating everything with the same level of security. It is therefore necessary to group assets into different classifications and apply different security policies and standards to each group or classification. But first you must identity your assets and who “owns” them within your organisation! Such asset management processes are supported by requirements found in industry standards such as ISO 27001 and the NIST Cyber Security Framework, along with government standards such as the Victorian Protective Data Security Standards (VPDSS) (links to each below).
Informed by your organisation’s context and the scope of the security program, you’ll need to locate existing or prepare new asset registers for hardware, software and information. Hardware registers commonly include servers (development, testing and production), workstations, tablets, phones and portable media. Software includes source code, commercial off the shelf (COTS) software and cloud services. Information includes all the inputs and outputs associated with critical business processes. For example, budgets, purchase orders and invoices as a part of financial management processes.
Once you’ve identified your assets, you’ll need to identify owners for each asset. The asset owner will be responsible for the risk decisions and the state of protection (security). You may find you have different owners for information and systems versus hardware and software. The owner of information and systems should be whoever is dependent on them for the operation of their business process. For example, the Chief Financial Officer (CFO) for financial information and systems. The owner, rather custodian, of hardware and software may be an IT manager or a third party in outsourced or cloud style arrangements.
Owners are required to set the classification(s) of assets based on the sensitivity of the asset to security risk. We at Arcord Cyber Security (link below) use a traffic light system (green/low, orange/medium and red/high) for each of the primary security attributes of confidentiality, integrity and availability. Governments have their own classification schemes which should be applied.
Our TrustyGate software platform (link below), can be used as a basic information asset register for small to medium sized organisations. It will capture information about each asset including type (e.g. information, hardware or software), owner, classifications for each of confidentiality, integrity and availability, along with associated system and third party. The asset ratings (classifications) start out using our traffic light system discussed above but you can tailor them to anything that suits. TrustyGate can also remind you to perform scheduled reviews to keep the register including owners and classifications up-to-date.
TrustyGate allows you to identify assets at risk when completing risk assessments. If you do this, you’ll later be able to produce reports that identify assets at risk for asset owners so that they can manage them appropriately. Our next article will explain how to manage your risks now and into the future.
We plan to develop the information asset register component of our TrustyGate platform much further including the collection of more information about assets and allowing more than one third party to be assigned to a single asset. As well as allowing for integrations with other systems where this information may be stored. If you have any questions or feedback, or would like a trial account, please don’t hesitate to visit the webpage or get in touch by emailing us.
Other articles in this series:
- A guide to winning trust and getting the most out of your security program (1 of 5)
- A guide to managing your cyber security risks now and into the future (3 of 5)
- A guide to building role-based security policies and standards that live and breathe (4 of 5)
- A guide to measuring and improving conformance with security policies and standards (5 of 5)
For more information: