Nearly all computer users would like to strengthen the security of their computer information. Doing a better job, however, requires more than installing a better anti-virus software package and firewall. Much more should be done.
Owners must begin to protect their digital assets by creating a systematic and comprehensive plan. Protecting digital assets must be viewed as a business process like accounting and marketing.
We can do a better job.
Leaders in the U.S. intelligence community information recently testified before Congress. The message they shared was that the security of our information infrastructure was the single most important component of our national security.
One private computer security company, agrees with the consensus coming from our intelligence agencies and believes that we have paid too little attention to the problem for too long.
Developing a more robust plan for information assurance must begin with identifying all of an organization’s digital assets. How else can you improve the protection of all mission critical digital assets?
An information asset inventory must identify every component used by an organization to acquire, process and store information. Listed below are a number of items that should be included in an information asset inventory:
The Name of each asset – Each item that is a part of the system must be formally identified (e.g. “invoices,” “a perimeter router,” etc.) and recorded.
Description – A written narrative must identify with each information asset in the inventory.
The name of the asset’s owner – Each information resource must be assigned an “owner” for the purpose of accountability. The owner must have the authority needed to make sure that the resource is obtained or created, used and maintained in a manner consistent with the organization’s overall security plan.
Classification – Every item on an information system inventory should be classified as to its level of criticality. Many businesses have limited financial resources and must be careful how they spend money to protect the most mission critical assets.
Volume and location – The quantity and location of each information asset (e.g. 12 Servers in Building A, 48 terminals in the warehouse, etc.) should be specified.
Description of the equipment – Each computer hardware item must be described and ideally include a unique serial number, model number, MAC (Media Access Control) address or other identifying characteristic.
Name and version of software – The software or in-house programs used by the publisher and its version should be a matter of record.
Process names – Facts and figures are created throughout an organization when employees process data. Each process should be named and linked with other digital assets used to create information for decision-making.
Identification of storage media – Data, as it flows through an organization, is recorded and stored on various types of media (e.g. hard drives, paper, etc.). The type of media being used for storage should be specified.
Replacement value – Asset owners should know how much it would cost to replace an information asset. Infrastructure owners would at least know what items are the most valuable and make it easier to decide how to reduce risk.
Business value – Each information asset inventory should be rated as to its business value. For example, a public facing website would be highly valuable. However, replacing a damaged website might be as inexpensive as re-installing it from a back-up.
An information asset inventory, if done properly, would list all mission critical assets, their volume, location and status. The organization using this information would be able to craft security plans and determine a sensible way to prioritize the expenditures to protect the infrastructure.
Dr. William G. Perry is the founder of Paladin Information Assurance ([http://www.paladin-information-assurance.com]) and its chief information security analyst. Paladin’s mission is to help organizations discover information security risks and to deploy mitigations. Its core belief is that the protection of digital processing infrastructure is a matter of national security and must be treated as a key business process.