III [Link].
Computer Science Unit – III SCSJA63 – Principles of Information Security
People, Procedures, and Data Asset Identification
People: Position name/number/ID (avoid names and stick to identifying positions, roles,
or functions); supervisor; security clearance level; special skills
Procedures: Description; intended purpose; relationship to software, hardware, and
networking elements; storage location for reference; storage location for update
Data: Classification; owner, creator, and manager; size of data structure; data structure
used (sequential or relational); online or offline; location; backup procedures employed
Hardware, Software, and Network Asset Identification
Name: Organizations may have several names for the same product.
IP address: This can be a useful identifier for network devices and servers, making the use
of IP numbers as part of the asset identification process problematic.
Media access control (MAC) address: MAC addresses are sometimes called electronic
serial numbers or hardware addresses. The MAC address number is used by the network
operating system to identify a specific network device. MAC addresses can be a useful
way to track connectivity. It can be spoofed by some hardware and software
combinations.
Element type: you can develop a list of element types, such as servers, desktops,
networking devices, or test equipment, to whatever degree of detail you require.
Serial number: the serial number can uniquely identify a specific device.
Manufacturer name: Record the manufacturer of the device or software component.
Manufacturer’s model number or part number: Record the model or part number of the
element. This record of exactly what the element is can be very useful in later analysis of
vulnerabilities.
Software version, update revision, or FCO number: An FCO (Field Change Order) is an
authorization issued by an organization for the repair, modification, or update of a piece
of equipment.
Physical location: Note where this element is located physically but some organizations
have license terms that specify where software can be used.
Logical location: Note where this element can be found on the organization’s network.
The logical location is most useful for networking devices and indicates the logical
network where the device is connected.
Controlling entity: Identify which organizational unit controls the element.
1
�III [Link]. Computer Science Unit – III SCSJA63 – Principles of Information Security
Automated Asset Inventory Tools
Automated tools can sometimes identify the system elements that make up hardware,
software, and network components. The inventory listing is usually available in a database or can
be exported to a database for custom information on security assets. Once stored, the inventory
listing must be kept current, often by means of a tool that periodically refreshes the data. Simple
word processing, spreadsheet, and database tools can provide adequate record keeping.
DATA CLASSIFICATION AND MANAGEMENT
Many corporations use a data classification scheme to help secure the confidentiality and
integrity of information. The information classifications are as follows:
Confidential: Used for the most sensitive corporate information that must be tightly
controlled, even within the company. Access to information with this classification is
strictly on a need-to-know basis or as required by the terms of a contract. Information with
this classification may also be referred to as “sensitive” or “proprietary.”
Internal: Used for all internal information that does not meet the criteria for the
confidential category and is to be viewed only by corporate employees, authorized
contractors, and other third parties.
External: All information that has been approved by management for public release.
The military is perhaps the best-known user of data classification schemes. In order to maintain
the protection of the confidentiality of information, the military has invested heavily in INFOSEC
(information security), OPSEC (operations security), and COMSEC (communications security).
The military uses a five-level classification scheme:
Unclassified data: Information that can generally be distributed to the public without any
threat to U.S. national interests.
Sensitive But Unclassified data (SBU): Common SBU categories include For Official Use
Only, Not for Public Release, or For Internal Use Only.
Confidential data: Any information or material the unauthorized disclosure of which
reasonably could be expected to cause damage to the national security.
2
�III [Link]. Computer Science Unit – III SCSJA63 – Principles of Information Security
Secret data: Any information or material the unauthorized disclosure of which reasonably
could be expected to cause serious damage to the national security.
Top Secret data: Any information or material the unauthorized disclosure of which
reasonably could be expected to cause exceptionally grave damage to the national
security.
The military also has some specialty classification ratings, such as Personnel Information and
Evaluation Reports, to protect related areas of information.
An organization can protect such sensitive information as marketing or research data, personnel
data, customer data, and general internal communications.
Public: Information for general public dissemination, such as an advertisement or public
release.
For Official Use Only: Information that is not particularly sensitive, but not for public
release, such as internal communications.
Sensitive: Information important to the business that could embarrass the company or
cause loss of market share if revealed.
Classified: Information of the utmost secrecy to the organization, disclosure of which
could severely impact the well-being of the organization.
Security Clearances:
Corresponding to the data classification scheme is the personnel security clearance
structure.
Most organizations have a set of roles and their associated security clearances
Management of Classified Data
Management of classified data includes its storage, distribution, portability, and
destruction.
A clean desk policy requires that employees secure all information in appropriate storage
containers at the end of each day.
There are individuals who search trash and recycling bins—a practice known as dumpster
diving—to retrieve information that could embarrass a company or compromise
information security.
3
�III [Link]. Computer Science Unit – III SCSJA63 – Principles of Information Security
Classifying and Prioritizing Information Assets
To represent the sensitivity and security priority of the data and the devices that store,
transmit, and process the data.
Data classification categories are confidential, internal, and public (data classification
scheme generally requires a corresponding personnel security clearance structure).
Any system component classification method must be specific enough to enable
determination of priority levels
It is also important that the categories be comprehensive and mutually exclusive.
Comprehensive means that all information assets must fit in the list somewhere.
Mutually exclusive means that an information asset should fit in only one
category.
Information Asset Valuation
Value retained from the cost of creating the information asset
Value retained from past maintenance of the information asset
Value implied by the cost of replacing the information
Value from providing the information
Value incurred from the cost of protecting the information
Value to owners
Value of intellectual property
Value to adversaries
Information Asset Prioritization
Once the inventory and value assessment are complete, you can prioritize each asset using a
straightforward process known as weighted factor analysis.
4
�III [Link]. Computer Science Unit – III SCSJA63 – Principles of Information Security
Identifying and Prioritizing Threats
After identifying and performing the preliminary classification of an organization’s information
assets, the analysis phase moves on to an examination of the threats facing the organization.
a wide variety of threats face an organization and its information and information systems.
Vulnerability Identification
Threats manifest themselves in multiple ways, yielding multiple vulnerabilities for that
threat. The process of listing vulnerabilities is somewhat subjective and depends upon the
experience and knowledge of the people creating the list.
The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions.
5
�III [Link]. Computer Science Unit – III SCSJA63 – Principles of Information Security
The team that reviews the vulnerabilities of networking equipment should include the
networking specialists, the systems management team that operates the network, the
information security risk specialist, and technically proficient users of the system.
The TVA Worksheet
During the risk identification process, you should have a prioritized list of assets and their
vulnerabilities. These two lists can be combined into a threats-vulnerabilities-assets (TVA)
worksheet in preparation for the addition of vulnerability and control information during risk
assessment.
The prioritized list of threats are placed along the vertical axis, with the most important or most
dangerous threat listed at the top. The resulting grid provides a convenient method of
determining the exposure of assets, allowing a simplistic vulnerability assessment.
