When we think of asset security, at the first glance it looks pretty simple. After all, what is the big deal about tracking a few laptops and mobile phones? But when you dive deeper into the details of what an asset is, you will realize that the asset security responsibilities of an information security professional are vast.

 

What is an Asset?

Common definitions of asset include:

  • “any software, hardware, data, administrative, physical, communications, or personnel resource within an information system.”
  • “any data, device, or other components of the IT environment that supports information management-related activities
  • “an identifiable collection of data stored in any manner and recognized as having value for the purpose of enabling an organization to perform its business functions, thereby satisfying a recognized business requirement.”

Now, considering some of the information assets unlike physical assets do not appear on the company’s balance sheet. Hence it is more challenging to identify them.

 

Important milestones to implement asset security at its best

  1. Identify and classify information and assets.

In order to meet a company’s information security goals, the most important task at hand is to classify the assets properly. We need to understand that, just because something is an asset does not mean it is a critical business asset. The criticality of assets varies from industry to industry.

Classifying information helps the company to achieve its core information security goals of confidentiality, Integrity, and Availability. To correctly classify data and assets information security professionals need to assess a few questions:

  1. Who has access to the data?
  2. How is the data secured?
  3. How long will the data be retained?
  4. What methods should be used to dispose of the data?
  5. Does the data need encryption?
  6. What is the appropriate use of the data secured?

Once we have answers to these questions, we can easily determine what type of classification should be used for different types of data. Depending on the industry that you work in, two different classifications are used the first is commercial classification and the second is a military classification of data.

Commercial classifications are as follows:

  1. Private (Private data is information such as bank account numbers)
  2. The company restricted (Information that can be accessed only by a small group of employees)
  3. Company confidential (Information that can be accessed by all employees but not for public use)
  4. Public (Information that can be accessed by all)

Military classifications are as follows:

  1. Top Secret
  2. Secret
  3. Confidential
  4. Sensitive but Unclassified or SBU
  5. Unclassified

 

  1. Protect privacy.

In today’s time, data privacy has become a great topic for debate since information is present everywhere, and protecting it, accessing it, and destroying it are all critical issues. Data privacy has been evolving and changing with the needs of various industries.

Countries like the US and Europe have shown great interest in data protection rules and have set directives to ensure the data of their citizens are protected in all aspects.

Some of the important points to be noted in these directives are:

  1. Personal data collection should be kept to a bare minimum.
  2. The EU’s Single market dimension should be strengthened by removing administrative hurdles.
  3. Personal data retained by law enforcement should also be protected.
  4. When data is transferred outside the EU, the procedures must be streamlined completely.

While EU has made it clear that whenever data travels outside the EU it must be protected. However, the US has a slightly different approach to it. US Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a ‘Safe Harbor’ framework. One of the important features of the ‘Safe Harbor’ program is that the companies in the US in the list of ‘Safe Harbor’ list can receive data from the EU.

 

  1. Ensure appropriate asset retention.

Asset retention policies play a very important role in who a company secures, stores use, and later disposes of data. It is extremely essential that all the important stakeholders of the company are involved in creating this policy for your organization.

The following steps regulate both asset and data management:

  1. Understand the business needs of the company
  2. classify data.
  3. determine retention periods.
  4. draft record retention policies
  5. Justify the record retention policy.
  6. Train staff
  7. Retention policies should be audited.
  8. Reviewing the policies regularly.
  9. Record retention policy must be documented.

While it is important that we classify data appropriately, however, retaining the data for the right amount of time is also essential. Every company should define its retention periods with extreme care.

 

  1. Determine data security controls.

While determining the data security controls it is important, we take into consideration the following recommendations depending on the condition of the data:

“Data in rest” is when data is stored such as backup tapes, offsite storage, and password files. These storage mediums contain highly sensitive information, and it is important that they are protected and not altered in any way. This can be achieved by using encryption tools and algorithms, using a secure password management tool, and storing the removable media in a secured and locked location.

“Data in motion” is the data that is in transit. This data has to be secured as well since the “data in motion” can be snooped and sniffed. This is accomplished by encrypting the data which is transmitted. “Data in motion” can be encrypted via link encryption and/or end-to-end encryption.

 

  1. Establish information and asset handling requirements.

Physical and information assets should be labeled clearly so that they can be handled easily. Assets can also be marked as ‘Top Secret’, ‘Secret’ or ‘public’ and subjects will have corresponding clearances to view them.

Companies should have procedures related to

  1. Marking (as an example, media containing a label stating whether it is encrypted or not)
  2. Handling (who can access the asset)
  3. Storing (where is the sensitive data stored)
  4. destroying of sensitive information (and how are we going to destroy it, once its purpose is over)

This ensures physical and information assets to be handled properly.

 

Why is Asset Security Important?

Asset security is a demonstration of security assurance from a compliance perspective. In case the asset is stolen or tampered a well-implemented asset security framework would help in isolating the device from the network and wipe out the data from the laptops if needed. These seemingly simple controls can help a company protect its physical and information assets.

 

Author,

Sobiya Munshi

Audit and Compliance Team,

Varutra Consulting Pvt. Ltd.