02. Information Asset Identification and Classification

Question 1

Information Asset Identification and Classification

Assets are things of value that an organisation protects in an information security program, and include…

Answer 1

1. Information Systems Hardware
2. Software
3. Virtual Assets
4. Information
5. Facilities
6. Personnel

1. Servers, laptops, tablets etc..
2. Operating systems, subsystems, applications etc…
3. Operating system guests, containers etc..
4. Databases, PII etc..
5. Data centers, development centers etc..
6. Staff

203

Question 2

Asset Identification and valuation

After security leadership have determined the scope of a security program, the initial step of the program development is…

Answer 2

identification of assets and determination of their value

203

Question 3

Asset Identification and valuation

IT needs to acquire and track several characteristics of every asset, including…

Answer 3

1. Identification
2. Value
3. Location
4. Security Classification
5. Asset Group
6. Owner
7. Custodian

204

Question 4

Asset Identification and valuation

The purpose of performing a periodic “true up”, a process by which it is confirmed if assets still physically exist through whatever means used, is performed so that discrepancies can be investigated to verify that assets have not been..

Answer 4

moved/removed without authorization or stolen

204

Question 5

Asset Identification and valuation

Software assets are considered to have..

Answer 5

Tangiable value

Althought software itself is intangiable in that it cannot physically be touched, if software is used to deliver goods and services it can be classified as a tangible asset (source)

204

Question 6

Asset Identification and valuation

Information assets are considered to be less tangible than hardware assets and include…

Answer 6

1. Customer Information
2. Intellectual property
3. Business Operations
4. Virtual Assets

205

Question 7

Asset Identification and valuation

A significant challenge related to information assets, where it will be next to impossible for an organisation to idetnify or know what services are in place, is the use of…

Answer 7

Cloud-Based Information Assets

An example is people taking it upon themselves to use services such as Dropbox to upload significant amounts of information as part of an exchange with a third party
The intent is not malicious but is not tracked and sight of the data is lost

205

Question 8

Asset Identification and valuation

The term that defines where users purchase their own computing services and bypass corporate IT

Answer 8

Shadow IT

Implies not all assets can be identified

205

Question 9

Virtual Assets

A term used which defines the ability for virtual servers to be created at the click of a button without additional cost to the organisation and often without approval…

Answer 9

Virtual Sprawl
aka
Virtualisation Sprawl

206

Question 10

Virtual Assets

Significant risks associated with virtualisation or cloud based computing that make it difficult for virtual assest to be managed or tracked

Answer 10

1. Virtual Sprawl
2. Elasticity
3. Containerization
4. Software-Defined Network (SND)

1. Virtual servers spun up often without authorization
2. Additional resources automatically spun up to meet demand
3. Multiple software instantiations execut on running operating system
4. Virtual network devices can be created at will or by automatic means

206

Question 11

Asset Classification

The process by which an organisation assigns an asset to a category representing usage or risk

Answer 11

Asset Classification

206

Question 12

Asset Classification

Within the information security program, the purpose of asset classification is to determine…

Answer 12

its level of criticality to the organisation

206

Question 13

Asset Classification

2 key measures of criticality…

Answer 13

1. Information Sensitivity
2. Operational Dependency

206

Question 14

Asset Classification

Criticality measurements of an asset form the basis for…

Answer 14

1. Information Protection
2. System Redundancy and Resilience
3. Business Continuity Planning
4. Disaster Recovery Planning
5. Access Management

206

Question 15

Asset Classification

Scarce resources in the form of infomration protection and resilience need to be allocated to…

Answer 15

assets that require it the most

Makes no sense to protect all assets to the same degree

206

Question 16

Asset Classification

The best approach for asset classification by an organisation is to..

Answer 16

Identify and classific information assets first, followed by system classification

206

Question 17

Information Classification

A process whereby different sets and collections of data in an organisation are analysed for various types of value, criticality, integrity, and sensitivity

Answer 17

Information Classification

207

Question 18

Information Classification

Information classification considers different characteristics to evaluate the value, criticality, integrity, and sensitivity of information…

Answer 18

1. Monetary Value
2. Operational Criticality
3. Accuracy or Integrity
4. Sensitivity
5. Reputational Value

1. Loss of this type of information may cause direct financial losses
2. Corruption or loss of this type of information may significantly impact ongoing busines operations.
3. Corruption or loss of this type of information ipacts business operations by causing incomplete or erroneous transactions
4. Information of a sensitive nature, typically associated with individual citizens
5. Denotes information that will or could cause potential loss of business reputation i.e. PII or even trade secrets that would not be looked on favorably by the public

207

Question 19

Information Classification

In terms of an information classification scheme, the most successful organisations will build a scheme that is…

Answer 19

simple and easy to understand

If the scheme is to complex, staff will not understand it and misclassify information easily

207

Question 20

Information Classification

4 typical classifications of information

Answer 20

1. Secret
2. Restricted
3. Confidential
4. Public

1. Merger and acquisition plans, account passwords, encryption keys
2. Credit card numbers, bank accounts, financial records etc..
3. System documentation i.e. network diagrams
4. Marketing collateral, published financial reports, press releases

207

Question 21

Information Classification

Once information has been adequately classified, the next step in the information classification development is…

Answer 21

handling procedures

The classification and handling guidelines show various differnt forms of information handling for different classification levels

Information Handling Requirements Table

208

Question 22

Information Classification

With to many levels of classification levels, there is a greater chance that information will be…

Answer 22

misclassified and put at risk

209

Question 23

Information Classification

With to few levels of classification, the organisation will either have…

Answer 23

excessive resources protecting all information
OR;
insufficient resources protecting information inadequately

209

Question 24

System Classification

Once information classification has been satisfied, the next step in the process will be…

Answer 24

system classification

209

Question 25

System Classification

The purpose of system classification is to identify and categorize system assets according to…

Answer 25

the classification of information stored, processed, or transmitted by them so that appropriate level of protection can be determined and implemented

209

Question 26

System Classification

A typical approach to system classification and protection is that for each level of classification and each type of system, a…

Answer 26

system hardening standard is developed that specifies features and configuration requirements

209

Question 27

System Classification

A network architectural design element that can support system classification segmentation and decisions and costs associated with protection controls require

Answer 27

Zoning

A server may be classified as secret, but other servers in the zone are restricted. It may be decided that all servers in that environment have the same level of protection applied, as compromise of a restricted server may result in the compromise of the secret server.
in organisations with large flat networks, this could suddenly become a very expensive exercise.

Network Zoning

210

Question 28

Facilities Classification

A method of assigning classification or risk levels to work centers and processing centers based on their operational criticality or other risk factors i.e. a data center vs a sales office

Answer 28

Facilities Classification

210

Question 29

Personnel Classification

Come organisations may be require personnel to meet specific clearance levels dependant on the nature of the information they will be interacting with. For example trade secrets, government secrets etc. It makes sense for these sorts of organisations to establish a…

Answer 29

classification scheme for personnel in the organisation

211

Question 30

Personnel Classification

Treatment of personnel at higher security levels may include…

Answer 30

1. Assigned devices with higher levels of security protection
2. Frequent access reviews
3. More stringent authentication requirements
4. Different colour identity badges
5. Assigned to work in facilities with more stringent security measures

211

Question 31

Asset Valuation

Even in instances were qualitative risk valuation is employed, the abscence of an assets value will make it more difficult to…

Answer 31

calculate risks associated with an asset

212

Question 32

Qualitative Asset Valulation

A common method of applying qualitiative asset valuation to an asset is to assign..

Answer 32

values using a scale. For example;
low, medium, high
or
1 to 5

212

Question 33

Qualitative Asset Valulation

A means for an organisation to establish which assets have more or less value relative to others without the assignment of dollar value

Answer 33

Qualitative Asset Valulation

212

Question 34

Quantitative Asset Valulation

A process more common in large or mature organisations that want to understand all the costs associated with loss events

Answer 34

Quantitative Asset Valulation

Process of assigning a dollar value to each asset

212

Question 35

Quantitative Asset Valulation

In a typical Quantitative Asset Valulation an asset value may be one of the following…

Answer 35

1. Replacement cost
2. Book value
3. Net Present Value (NPV)
4. Redeployment Cost
5. Creation or Reacquisition Cost
6. Consequential Financial Cost

1. The cost of purchasing or replacement of an asset. A database replacement cost could be operational cost to replace it
2. Value of asset in the financial system i.e. purchase cost less depreciation
3. The asset may directly or indirectly generate revenue, which can be used to evaluate its value
4. Cost to set an asset up again somewhere else
5. The cost associated, for example with a database, to reset it up again or reacquire the information, or effort involved for developers to re-create code
6. A measure of financial costs that result from theft or compromise

212

Question 36

Asset Valulation

In terms of asset valuation, security managers shuld document their…

Answer 36

rationel and methods of evaluation

213

Question 37

Asset Valulation

In large, more mature organisations, the specification methods and formulas for information asset valuation will be documented within…

Answer 37

Guidelines

213