An Information Asset Profile (IAP) will help you to characterize you information assets to ensure you’re providing the necessary level of security protection. An IAP is one of the primary inputs necessary for a successful threat risk assessment (TRA).
The information in this article is based on work done at Carnegie Mellon University on Information Asset Profiling but has been extended based on our work implementing information security with our clients.
Information security (IS) requires the classification and valuation of the information assets to ensure that the right level of protection for those assets is provided. The required level of protection is usually determined by using a risk assessment.
A Threat Risk Assessment(i.e. TRA) is the first part of any risk management methodology. It is use to determine the extent of the potential threat and the risk associated with a companies information assets. The output of this process helps to identify appropriate safeguards for reducing or eliminating risk during risk mitigation.
The threat risk assessment methodology encompasses nine primary steps:
1. Information Characterization
2. Threat Identification
3. Vulnerability Identification
4. Safeguard Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Safeguard Recommendation
9. Results Documentation
An Information Asset Profile (IAP) provides the information characteristics required in the first step shown above. The IAP allows information owners to profile (i.e. classify and value) their information assets; this is usually a requirement of an IS Policy to ensure the protection of a company’s information assets. Of course, if you’re going to profile your assets, you will need to know what they are … an IAP must be preceded by a complete inventory of your information assets and their security requirements.
Using an Information Asset Profile allows a company to:
– provide a consistent, unambiguous, and agreed upon description of an information asset;
– feed strategic information security activities, such as threat and risk assessments used to determine potential negative impacts;
– help with the selection of proper security controls and best practices by insuring security requirements are addressed;
– refine policy and procedure by defining the information asset, its user-base, its custodians, its owner/stewardship, its boundaries, and its characteristics.
The Information Asset Profile defines the information itself, the people involved in its creation and use, and the processes or procedures that rely on the information. The primary contents are: Asset Name, Asset Description, Owner, Stakeholders, Custodial Aspects, (i.e. Custodians … paper or electronic, and Locations), Security and Privacy Requirements, and Classification and Valuation.
Any, or a combination, of the following techniques can be used to gather information about the information asset: a questionnaire, on-site interviews, document reviews, or automated scanning tools.
In summary the benefits of the Information Asset Profile are:
– allows owners to profile their information assets to meet Information Security Policy requirements for the protection of those assets;
– validates the security aspects of the processes relying on the information;
– provides the information profiling required as the first step of a threat risk assessment;
– defines security requirements for new information systems applications;
– requires the CISO to provide the following services:
o assistance to owners on how to complete an IAP,
o central storage and control for all completed IAPs.
By geralt from Pixabay