by The Open University
Available in 39 free installments
Owner:
You have now completed your study of the ISMS documentation task in the ISMS planning process. In this subsection we study the asset identification task.
You saw in Section 5 that asset identification consists solely of Stage 4.1 of the ISMS planning process, in which the information assets at risk are identified, along with their owners, their locations, their values and their information security requirements. This stage can be subdivided into four steps.
Step 1: identify the boundaries of what is to be protected.
Step 2: identify the information assets, the media in which they are represented and the systems that handle them.
Step 3: identify the relationships between information assets, media, systems and organisational objectives.
Step 4: identify those information assets, media and systems critical to organisational objectives.
These steps are identified on pages 73?74 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book).
The definition of the scope of the ISMS, produced in Stage 1 of the ISMS documentation task, is used in Steps 1 and 2, to help identify the boundaries and the information assets.
Step 2 includes the identification of the owners, locations and security requirements of the information assets. The identification of the media and systems allows assets to be grouped according to the storage medium on which they are represented or according to the system(s) that handle them. This grouping of assets aids the execution of Steps 3 and 4 by allowing us to consider together all those assets represented on the same storage medium or handled by the same system(s). This grouping process is helpful not only during asset identification but also during risk assessment and treatment.
It is at Step 3 that the value of an information asset (or group of assets) to an organisation is determined: the greater the asset's contribution to organisational objectives, the greater its value to the organisation. In some circumstances it may be possible to assign a monetary or numerical value to an asset, but in the context of information security it is usually sufficient to classify the value as being low, medium or high (as in the classification of impact, likelihood and risk in the previous subsection). The value assigned to an asset can be useful in determining the impact of a breach of the security requirements of the asset.
The value assigned to an asset (or group of assets) feeds into Step 4 as a factor in determining those assets critical to organisational objectives. The importance of this step is that, in practice, it is unlikely that an organisation will have the resources to protect fully all of its assets. In these circumstances, risk assessment and treatment will need to focus on the critical assets, at least to begin with; other, non-critical assets can be protected later, if resources allow. At this step, it can often be useful to rank assets in an order of priority for risk assessment and treatment determined by how critical they are to organisational objectives.
Read the subsections of Chapter 6 of IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book) entitled ‘Identify the boundaries?, ‘Identify the systems? and ‘Identify relationships between systems and objectives? (pp. 74?76). As you read, relate the Set Book's discussion of the asset identification task to the four steps described above.
(a) (i) Define the smallest practicable scope for which an ISMS can be developed.
(ii) State one criterion for deciding whether one or many ISMSs should be implemented.
(iii) State the defining characteristics of the scope of an ISMS.
(b) (i) Use your answer to (a) to help you determine a unit within your organisation to which a single ISMS should be applied. You should aim to choose a unit within which you work.
(ii) Give examples of two or more of the systems for handling information assets within the unit you identified in (b)(i), preferably ones that you use on a daily basis. By consulting within the unit, identify the critical assets that rely on these systems.
(c) Explain why:
(i) information assets and organisational objectives need to be related;
(ii) information assets need to be prioritised.
The Set Book uses the term ‘organisation? ambiguously, both to refer to a large entity consisting of many units, often at different premises, and to a unit within such an entity. We endeavour in the main text of this unit to restrict the use of organisation to the large entity and to use the term ‘unit? for a part of the large entity to which an ISMS is to be applied. Of course, in some cases we wish to apply an ISMS to the whole of a large entity, in which case the meaning of the terms ‘organisation? and ‘unit? coincide.
To help you determine the scope of an ISMS within your organisation, so that you can answer (b)(i), you might like to draw a diagram showing the structure of your organisation, how information is shared across unit boundaries, units with a common culture, and so on.
The first of the subsections, ‘Identify the boundaries?, corresponds to Step 1. The second, ‘Identify the systems?, corresponds to Step 2. The third subsection, ‘Identify relationships between systems and objectives?, relates to Steps 3 and 4.
(a) (i) The smallest practicable scope for an ISMS is defined by a boundary across which there is little information sharing, i.e. it is self-contained.
(ii) A single ISMS is indicated when an organisation shares a single business culture and generally uses the same systems throughout. Otherwise, multiple ISMSs should be considered.
(iii) The defining characteristics of the scope of an ISMS for a unit within an organisation are the premises the unit occupies, its network assets and its information assets.
(b) We use the Open University as our exemplar.
(i) Figure 6 is a diagram showing how the Computing Department, to which many of the members of the M886 Course Team belong, fits into the structure of the OU. The arrows indicate the flow of information across boundaries (the breadth of an arrow represents the quantity of information that is shared).
Figure 6Long description
The OU has a large number of premises across the UK, and although some network and information assets are shared there are many that are not. This suggests that the OU as a whole is inappropriate for a single ISMS. Furthermore, the information flows between the Computing Department and the Faculty of Mathematics and Computing are too large for it to be sensible to restrict the ISMS to the Computing Department.
The Faculty of Mathematics and Computing occupies a single building. Networking services, many systems and much information are shared across the Faculty, and there is reasonable common culture throughout the Faculty. The information flows between the Faculty and the OU generally are rather large, but, given that all the other indicators are satisfied, the Faculty is probably a sensible unit to which a single ISMS should be applied.
(ii) Systems that handle information assets and that are used regularly by members of the Faculty of Mathematics and Computing include email, swipe cards, proxy servers, a web server, file servers and internal mail. Course texts, critical to our mission, are held on file servers and exchanged by email.
(c) (i) Breaches of the security requirements of information assets that contribute most to an organisation's objectives will have the greatest impact on the organisation's ability to discharge its mission.
(ii) It may not be possible to protect all information assets, or the protection may need to be phased, so those judged most significant and the most vulnerable must be given priority.
The asset identification process described above is one of many in the literature. Others include the following.
Parker (1981), one of the earliest books to discuss information security (which he calls ‘computing security?), provides excellent practical guidance on identifying assets in Chapter 9.
Alberts and Dorofee (2003) have developed what they call the OCTAVE approach to managing information security. It includes a full asset identification process.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
