Asset Identification Flashcards
1
Q
What must organisations consider when sharing information?
A
- Laws
- Regulatory frameworks
- Codes of practice
2
Q
What are the consequences of failing to comply with laws and regulations when sharing information?
A
- Disciplinary action
- Financial penalties
- Legal actions (against individuals and/or organisation)
3
Q
What do new digital forms of communication and storage of assets lead to?
A
New threats
4
Q
What responsibility do directors and managers have regarding information sharing?
A
They must be cautious and vigilant to avoid non-compliance.
5
Q
How can information contribute to an organisation in the e-business age?
A
- Competitive advantage
- Adding to organisational value
- Helping meet the organisation’s mission and/or objectives
6
Q
What threats arise with new forms of communication and commerce?
A
- Exposure of vital information assets
- Increased risk from external access to internal networks
- Vulnerability through cloud services
7
Q
What is a risk associated with using cloud services for information sharing?
A
They can inadvertently provide global access to an organisation’s most valued information.
8
Q
What is the first step in information security?
A
Identifying which information assets need protecting.
9
Q
What is an Information Asset Register (IAR)?
A
A document of record listing the information assets within an organisation that need protecting.
10
Q
Why is the IAR considered a foundation document for information security?
A
- It supports risk assessments.
- Errors or omissions can affect the quality of risk assessments.
11
Q
What other purposes does an IAR serve?
A
- Supporting business cases for outsourcing.
- Justifying moves to cloud-based services.
- Justifying costs for improving information security.
12
Q
How does the size of an IAR vary by organisation?
A
A small business may only have a handful of assets, while large organisations may have many thousands.
13
Q
What is a challenge in creating an IAR for large organisations?
A
Managing the complexity of hundreds or thousands of information assets.
14
Q
What is metadata?
A
Data about data that describes it but is not part of it, although it can be stored with it.
15
Q
What is an example of metadata outside of information security?
A
Metadata in digital photos includes location, aperture, and focal length (EXIF metadata)
16
Q
Why is metadata in organisational data inconsistent?
A
There is no universal standard for metadata in organisational data; each organisation has its own format.
17
Q
What does the Asset Identifier of an information asset represent in the IAR?
Give an example.
A
A unique identifier, which may include location, associated systems, or a unique alphanumeric reference.
IA1, or O365-HR
18
Q
What does the Name of an information asset represent in the IAR?
Give an example.
A
The name of the asset in plain terms.
Sales Data, or Email
19
Q
What does the Type of an information asset represent in the IAR?
Give an example.
A
The type of structure of the asset.
Database, Sales software system, Email system
20
Q
What does the Purpose of an information asset represent in the IAR?
Give an example.
A
Describes how the data is used in practical terms. Sometimes ommitted if purpose is clear.
Databse of all sales purchases, Email mailboxes for all users and shared mailboxes
21
Q
What does the Notes of an information asset represent in the IAR?
Give an example.
A
Any additional information that is relevant.
Will be depreciated in 20XX, In migration to Microsoft 365
22
Q
What does the Media of an information asset represent in the IAR?
Give an example.
A
The type of media the asset is stored on.
Hard disk, hard copy, cloud datacentre
23
Q
What does the Supporting Systems of an information asset represent in the IAR?
Give an example.
A
The container of the media the asset is stored in.
SRV-Finance, Archive container, Internet
24
Q
What does the Owner of an information asset represent in the IAR?
Give an example.
A
The person accountable for the asset, by job title for redundancy.
Sales Director, IT Manager
25
What does the Authorised Users of an information asset represent in the IAR?
Give an example.
The people who are permitted access to the asset, by job title for redundancy.
Sales Team, All staff
26
What does the Location of an information asset represent in the IAR?
Give an example.
The physical location of the asset.
Server room, Microsoft cloud, HR office
27
What does the Building/Site of an information asset represent in the IAR?
Give an example.
There the location of the asset can be found, in a broader sense.
Head Office, Building A, EU datacentre
28
What does the Dependencies of an information asset represent in the IAR?
Give an example.
Typically dependencies for support of the asset, such as third party providers and support companies.
Sales Software Ltd., Database supplier support
29
What does the Security Requirements of an information asset represent in the IAR?
Give an example.
The CIA Triad of Confidentiality, Integrity and Availability, typically each ranked by the requirements of the asset.
C 5, I 5, A 3, or C Low, I High, A High
30
What does the Value of an information asset represent in the IAR?
Give an example.
The associated importance of the asset and its value to the company. Does not have to be monetary.
Low, High, £10,000
31
Historically, how were organisations and their assets protected?
By securing the building they were contained in from physical threats like fire and theft.
32
What determines organisational boundaries today?
Who the organisation shares information with and with who they keep it secret.
33
What are Grant’s two key observations about assets?
1. Assets should be sharable within the organisation.
2. Assets should be scarce outside the organisation.
34
What is the basis of competitive advantage in for-profit organisations according to Grant?
The combination of shareability and scarcity of assets.
35
How do shareability and scarcity affect not-for-profit organisations?
Shareability supports the mission, scarcity is often required by law or codes.
36
What are the two regions associated with an information asset?
1. Shareability region - Locations, systems, and people with access to the asset.
2. Scarcity region - All other locations, systems and people.
37
What are the key conditions within an information asset’s shareability region?
Availability to ensure use and integrity to ensure correct decisions are made using the asset.
38
What must happen to an information asset outside its shareability region?
It must remain confidential to prevent deriving value from it.
39
What are the information security requirements of an asset?
The CIA Triad - Confidentiality, Integrity, and Availability.
40
What happens when an information asset moves across its boundary into the scarcity region?
It's value must be removed to maintain security.
41
What role does cryptography play in protecting information assets?
It reversibly conceals information value when moving across boundaries.
42
What diagrams are needed to identify an information asset's shareability boundary?
- Organisation chart / organogram diagram (roles or employees)
- Location diagram (physical locations)
- Systems and network diagram (system interrelations)
43
Why is the boundary between shareability and scarcity regions important?
It determines where the information asset's value must be protected or restored.
44
What challenge arises with disjoint shareability regions?
Value must be removed when crossing public networks or untrusted spaces.
45
What does an organogram show in relation to an information asset?
The staff structure and relationships within an organisation, indicating who relates to the information asset.
46
How can the boundary of an information asset’s shareability region be identified on an organogram?
By drawing a ring around people inside the region or listing them.
47
What defines a department’s shareability region?
The information it uses in daily business, with areas outside generally considered a scarcity region.
48
Who would typically have access to HR’s sensitive personal data?
Only HR staff.
49
Who would typically have access to sensitive financial information?
Only finance staff.
50
Why should access to information be restricted?
To ensure staff only access information necessary for their duties.
51
How does access differ between senior and junior staff?
Senior staff typically perform more information lifecycle activities and need greater access to assets.
52
What is the purpose of a geographical location diagram?
To assess physical locations within the scope and identify the shareability boundry from a geographical perspective.
53
What locations should be included in a geographical location diagram?
- Server rooms and offices, and their containing buildings or sites.
- Homes, hotels, etc of remote workers (typically generically rather than specifically!)
- Cloud service provider locations (typically generically by provider)
54
What is the purpose of a systems and network diagram?
To illustrate the logical connectivity between information assets, users, and teams. Used to show information flows crossing scarcity and shareability boundaries.
55
What additional aspect should a systems and network diagram reflect?
Network flows between organisation and physical regions of scarcity and shareability.
56
Why is it important to identify where information flows cross network boundaries?
To determine where information assets need protection, especially in less secure locations.
57
What do digital assets hosted in cloud environments require?
Special consideration for security, as they are hosted in a physical scarcity region.
58
What does a systems and network diagram enable?
The identification of risks and protection needs as information assets traverse the network.
59
When is an information asset considered secure?
When its confidentiality, integrity, and availability requirements are met.
60
How are an information asset’s security needs related to its regions?
They are tied to the asset's shareability and scarcity regions.
61
What is the security requirement for an asset in its scarcity region?
It should be unavailable, or if impossible it should be damaged or disabled to reduce its value.
62
What happens if an asset’s integrity is breached in its shareability region?
The asset may become less useful or entirely worthless. Incorrect data can lead to poor decisions, reducing its value.
63
Why must an information asset be available in its shareability region?
To maximise its utility and value to the organisation.
64
What happens when an asset is not available when needed?
The need goes unfulfilled and the asset's value is reduced.
65
What are examples of availability failures in daily life?
- Unable to access your email or calendar when you need to.
- Forgetting a password to a secure file and being unable to access it.
- Not remembering your login details to an account and being unable to access a website.
66
What could be the impact of a customer or product database breach of availability?
It may seriously hinder the organisation's ability to carry out its mission.
67
What are the 7 stages of an information asset's lifecycle?
1. Creation/receipt
2. Storage
3. Transmission and reception
4. Access, use, change
5. Maintenance
6. Archival
7. Destruction
68
What happens during the Creation and Receipt phase of an information asset?
It is created or received from a third party.
69
What happens during the Storage phase of an information asset?
It must be stored in a way that ensure the confidentiality, integrity and availability of the assett.
70
What happens during the Transmission and Reception phase of an informaion asset?
The asset is sent and received from where it is stored to where it is needed. It must be available for transmission, kept confidential during transit across private/public networks, and maintain its integrity at the destination.
71
What happens during the Access, Use, and Change phase of an information asset?
The asset is used to create addtional value through business processes. This may create additional assets, with their own security requirements.
72
What happens during the Maintenance phase of an information asset?
The asset is actively managed in order to preserve its value, such as updating the information it contains or declassifying it and reducing its security requirements.
73
What happens during the Archival phase of an information asset?
The asset is moved into long-term storage, lowering its availability now that it has less value. Its confidentiality and integrity remain important.
74
What happens during the Destruction phase of an information asset?
The asset is destroyed, to ensure it is no longer available. It's confidentiality must remain high during the destruction process, as its availability and integrity are reduced to zero.
75
What is the key purpose of the information lifecycle?
To manage how information assets are created, stored, used, and destroyed in line with their security requirements.
76
What are confidentiality markings for information assets?
Labels such as confidential, secret, top secret, restricted, official, unclassified, etc.
77
How is the concept of markings extended to integrity?
An asset might intentional have compromised integrity, such as demo version of a video game, or trial of a software package.
78
How is the concept of markings extended to availability?
An asset might intentionally have its availability restricted, such as 'need to know' policies.
As an example, a HR employee might have the confidentiality requirements to access HR documents, but the availability shouldn't allow them to access files when they have no legitimate need to do so.
79
Why are markings important for information assets?
To manage confidentiality, integrity, and availability levels appropriately based on the asset’s purpose and audience.
80
What is the first step after identifying an information asset?
Assessing its value to the organisation and beginning the process of protecting it.
81
What are Showstopper information assetts?
Give an example.
Those whose loss would cause immediate disruption, reputational damage, or political embarrassment.
Financial records during an audit or a database containing customer details, passwords, and credit card information.
82
What are Significant information assets?
Give an example.
Those whose loss would cause disruption to business operations, but not cause reputational or political damage.
Warehouse inventory, booking system for IT equipment
83
What questions assess the Availability of an information asset?
- Will it cost money to reacquire if lost?
- Would legal, reputational, or financial repercussions occur if unavailable?
- Would it affect operational efficiency?
- Can work be done without it?
- Would competitive advantage be lost?
84
What question assess trhe Integrity of an information asset?
- Would there be consequences if the information was incorrect?
85
What questions assess the Confidentiality of an information asset?
- Would there be consequences if revealed to a third party?
- Would competitors gain an advantage?
- Would regulations be broken?
86
Why are Showstopped and Significant assets prioritised for protection?
Their loss or compromise would disrupt business operations or cause reputational, legal, or financial damage.
87
What defines an information asset's shareability and scarcity regions?
The collection of humans, systems (including media), and locations on which the asset depends during its lifecycle.
88
What are the three main types of vulnerabilities for an information asset?
- Physical vulnerabilities
- Environmental vulnerabilities
- Human vulnerabilities
89
What are the three main dependencies of an information asset?
- Humans
- Systems (including medium)
- Physical locations
90
What role does a medium play in an information asset’s lifecycle?
Give some examples.
It allows the asset to both exist, and to be presented.
Paper, hard drive, SSD.
91
What two types of hacking are systems vulnerable to?
Physical and remote hacking.
92
How do humans support an information asset?
By interacting with it to create value.
93
What three risk groups do physical locations suffer susceptibility to?
1. Natural disasters (floods, fires)
2. Environmental failures (air con failure, power supply isssues)
3. Human error (coffee spills, accidental disconnection)
94
What questions must be asked to track dependencies throughout an asset's lifecycle?
Which dependencies are creates when the asset is:
- Created, stored, archived or destroyed?
- Used, copied, changed, or transformed?
- Transmitted and received?
These answers should consider human, system and location dependencies.
95
What is the information security scope of an information asset?
The sum of all people, systems, and locations the asset touches during its lifecycle.
96
How are an information asset's weaknesses defined in terms of security?
By the vulnerabilities of the people, systems, and locations within its scope.
97
What happens if all systems, people, and locations within the asset's scope are protected?
The asset itself will be protected.
98
What processes are used to protect an information asset's scope?
- Risk analysis to identify risks.
- Risk control to mitigate or manage those risks.
99
How can lesser information assets benefit from protecting significant assets?
They can share protections if they reside on the same systems, are accessed by the same people, or share the same locations.
100
What does a shared system or server imply for the security scope?
Multiple assets share the same scope and require combined protections.
