When we think of asset security, at the first glance it looks pretty simple. After all, what is the big deal about tracking a few laptops and mobile phones? But when you dive deeper into the details of what an asset is, you will realize that the asset security responsibilities of an information security professional are vast.
Common definitions of asset include:
Now, considering some of the information assets unlike physical assets do not appear on the company’s balance sheet. Hence it is more challenging to identify them.
In order to meet a company’s information security goals, the most important task at hand is to classify the assets properly. We need to understand that, just because something is an asset does not mean it is a critical business asset. The criticality of assets varies from industry to industry.
Classifying information helps the company to achieve its core information security goals of confidentiality, Integrity, and Availability. To correctly classify data and assets information security professionals need to assess a few questions:
Once we have answers to these questions, we can easily determine what type of classification should be used for different types of data. Depending on the industry that you work in, two different classifications are used the first is commercial classification and the second is a military classification of data.
Commercial classifications are as follows:
Military classifications are as follows:
In today’s time, data privacy has become a great topic for debate since information is present everywhere, and protecting it, accessing it, and destroying it are all critical issues. Data privacy has been evolving and changing with the needs of various industries.
Countries like the US and Europe have shown great interest in data protection rules and have set directives to ensure the data of their citizens are protected in all aspects.
Some of the important points to be noted in these directives are:
While EU has made it clear that whenever data travels outside the EU it must be protected. However, the US has a slightly different approach to it. US Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a ‘Safe Harbor’ framework. One of the important features of the ‘Safe Harbor’ program is that the companies in the US in the list of ‘Safe Harbor’ list can receive data from the EU.
Asset retention policies play a very important role in who a company secures, stores use, and later disposes of data. It is extremely essential that all the important stakeholders of the company are involved in creating this policy for your organization.
The following steps regulate both asset and data management:
While it is important that we classify data appropriately, however, retaining the data for the right amount of time is also essential. Every company should define its retention periods with extreme care.
While determining the data security controls it is important, we take into consideration the following recommendations depending on the condition of the data:
“Data in rest” is when data is stored such as backup tapes, offsite storage, and password files. These storage mediums contain highly sensitive information, and it is important that they are protected and not altered in any way. This can be achieved by using encryption tools and algorithms, using a secure password management tool, and storing the removable media in a secured and locked location.
“Data in motion” is the data that is in transit. This data has to be secured as well since the “data in motion” can be snooped and sniffed. This is accomplished by encrypting the data which is transmitted. “Data in motion” can be encrypted via link encryption and/or end-to-end encryption.
Physical and information assets should be labeled clearly so that they can be handled easily. Assets can also be marked as ‘Top Secret’, ‘Secret’ or ‘public’ and subjects will have corresponding clearances to view them.
Companies should have procedures related to
This ensures physical and information assets to be handled properly.
Asset security is a demonstration of security assurance from a compliance perspective. In case the asset is stolen or tampered a well-implemented asset security framework would help in isolating the device from the network and wipe out the data from the laptops if needed. These seemingly simple controls can help a company protect its physical and information assets.
Author,
Sobiya Munshi
Audit and Compliance Team,
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…