Types of Information Assets: Understanding and Securing Organizational Data

Overview

Lecture 8 focuses on understanding the different types of information assets within an organization and the specific security controls required to protect them. This article provides a detailed breakdown of key points discussed, including types of information, their locations, processing systems, and the security considerations needed to protect them.

Key Concepts

1. Information Assets

Information assets encompass all forms of data and information processing systems that an organization must protect against cyber threats. Understanding the nature of these assets is crucial for implementing effective security controls.

2. Types of Information

• Files and File Systems: Information stored in individual files on personal systems like phones, tablets, and computers.
• Databases: Structured data held in databases for various organizational purposes.
• Email Repositories: Large quantities of sensitive information stored in email systems.
• Archives and Backups: Information held in long-term storage for disaster recovery and compliance purposes.
• Structured vs. Unstructured Data: Structured data is organized into defined parts, while unstructured data includes natural language documents like reports.

3. Location of Information

• Information at Rest: Data stored on servers, personal computing devices, offline storage media, and in the cloud.
• Information in Motion: Data being transferred across networks, including organizational LANs, Wi-Fi networks, and public networks.

4. Information Processing Systems

• Personal Devices: Phones, tablets, and desktops.
• Servers: Both organization-operated and cloud-based servers.
• Third-Party Services: Managed services like email and security services.

5. Security Considerations

The type and severity of risks depend on both the type of information and its location. Different security controls are required to protect data at rest and in motion, as well as the systems processing this data.

Detailed Breakdown

1. Information at Rest

• Storage Locations: Information can be stored in various locations, including organizational servers, personal devices, and offline storage.
• Example: Personal devices often store local copies of emails, instant messages, photographs, and forms. These devices need appropriate security measures like non-guessable passwords and backup solutions.

2. Information in Motion

• Transfer Methods: Data can be transferred using internal networks (LANs, Wi-Fi) or external networks (public internet, mobile networks).
• Example: When information is transmitted over the internet, it must be protected using encryption and secure communication protocols to prevent unauthorized access.

3. Information Processing Systems

• Computing Platforms: Include a wide range of devices and systems, from personal devices to organizational servers and cloud services.
• Third-Party Services: Many organizations use third-party services for email, security, and other applications, introducing additional considerations for security.

Applying Security Controls

1. Confidentiality

• Encryption: Encrypt data at rest and in transit to protect it from unauthorized access.
• Access Controls: Implement strong access control mechanisms to restrict who can access sensitive information.

2. Integrity

• Checksums and Hash Functions: Use cryptographic checksums and hash functions to ensure data integrity.
• Version Control: Implement version control systems to track changes and ensure the integrity of data.

3. Availability

• Redundant Systems: Use redundant systems and backups to ensure data availability in case of a failure.
• Denial of Service Protections: Implement protections against denial of service attacks to ensure the availability of information processing systems.

Relevant Standards and Publications

ISO/IEC 27002

• Standard: ISO/IEC 27002 provides a comprehensive catalog of security controls for managing information security.
• Clauses to Review:
  • Clause 5.1: Security policies.
  • Clause 5.2: Organizational roles and responsibilities.
  • Clause 8: Technological controls.

NIST Special Publication 800-53

• Document: National Institute of Standards and Technology. Security and privacy controls for information systems and organizations, NIST Special Publication 800-53 (Rev 5), 2020.
• Chapter to Review: Chapter 2 (pp. 7–15).

Books for Further Reading

1. “Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton:
   • Provides a foundational understanding of information security management, aligning with ISO/IEC standards.
2. “Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler:
   • Discusses practical approaches to risk management, integrating broader principles that complement the CIA triad.
3. “Cybersecurity and Cyberwar: What Everyone Needs to Know” by P.W. Singer and Allan Friedman:
   • Offers an overview of cybersecurity concepts, including the application of the CIA triad.

Summary

Lecture 8 highlights the importance of understanding the different types of information assets and their locations within an organization. By categorizing information and understanding the risks associated with each type, organizations can implement appropriate security controls to protect the confidentiality, integrity, and availability of their information assets. The application of standards like ISO/IEC 27002 and NIST SP 800-53 provides detailed guidance on implementing these controls, ensuring a comprehensive approach to information security. The recommended books offer further insights and practical guidance for managing information security in organizational settings.