Asset Identification Flashcards

Question 1

Q

What must organisations consider when sharing information?

Answer

A

Laws
Regulatory frameworks
Codes of practice

Question 2

Q

What are the consequences of failing to comply with laws and regulations when sharing information?

Answer

A

Disciplinary action
Financial penalties
Legal actions (against individuals and/or organisation)

Question 3

Q

What do new digital forms of communication and storage of assets lead to?

Answer

A

New threats

Question 4

Q

What responsibility do directors and managers have regarding information sharing?

Answer

A

They must be cautious and vigilant to avoid non-compliance.

Question 5

Q

How can information contribute to an organisation in the e-business age?

Answer

A

Competitive advantage
Adding to organisational value
Helping meet the organisation’s mission and/or objectives

Question 6

Q

What threats arise with new forms of communication and commerce?

Answer

A

Exposure of vital information assets
Increased risk from external access to internal networks
Vulnerability through cloud services

Question 7

Q

What is a risk associated with using cloud services for information sharing?

Answer

A

They can inadvertently provide global access to an organisation’s most valued information.

Question 8

Q

What is the first step in information security?

Answer

A

Identifying which information assets need protecting.

Question 9

Q

What is an Information Asset Register (IAR)?

Answer

A

A document of record listing the information assets within an organisation that need protecting.

Question 10

Q

Why is the IAR considered a foundation document for information security?

Answer

A

It supports risk assessments.
Errors or omissions can affect the quality of risk assessments.

Question 11

Q

What other purposes does an IAR serve?

Answer

A

Supporting business cases for outsourcing.
Justifying moves to cloud-based services.
Justifying costs for improving information security.

Question 12

Q

How does the size of an IAR vary by organisation?

Answer

A

A small business may only have a handful of assets, while large organisations may have many thousands.

Question 13

Q

What is a challenge in creating an IAR for large organisations?

Answer

A

Managing the complexity of hundreds or thousands of information assets.

Question 14

Q

What is metadata?

Answer

A

Data about data that describes it but is not part of it, although it can be stored with it.

Question 15

Q

What is an example of metadata outside of information security?

Answer

A

Metadata in digital photos includes location, aperture, and focal length (EXIF metadata)

Question 16

Q

Why is metadata in organisational data inconsistent?

Answer

A

There is no universal standard for metadata in organisational data; each organisation has its own format.

Question 17

Q

What does the Asset Identifier of an information asset represent in the IAR?

Give an example.

Answer

A

A unique identifier, which may include location, associated systems, or a unique alphanumeric reference.

IA1, or O365-HR

Question 18

Q

What does the Name of an information asset represent in the IAR?

Give an example.

Answer

A

The name of the asset in plain terms.

Sales Data, or Email

Question 19

Q

What does the Type of an information asset represent in the IAR?

Give an example.

Answer

A

The type of structure of the asset.

Database, Sales software system, Email system

Question 20

Q

What does the Purpose of an information asset represent in the IAR?

Give an example.

Answer

A

Describes how the data is used in practical terms. Sometimes ommitted if purpose is clear.

Databse of all sales purchases, Email mailboxes for all users and shared mailboxes

Question 21

Q

What does the Notes of an information asset represent in the IAR?

Give an example.

Answer

A

Any additional information that is relevant.

Will be depreciated in 20XX, In migration to Microsoft 365

Question 22

Q

What does the Media of an information asset represent in the IAR?

Give an example.

Answer

A

The type of media the asset is stored on.

Hard disk, hard copy, cloud datacentre

Question 23

Q

What does the Supporting Systems of an information asset represent in the IAR?

Give an example.

Answer

A

The container of the media the asset is stored in.

SRV-Finance, Archive container, Internet

Question 24

Q

What does the Owner of an information asset represent in the IAR?

Give an example.

Answer

A

The person accountable for the asset, by job title for redundancy.

Sales Director, IT Manager

Question 25

Q

What does the Authorised Users of an information asset represent in the IAR?

Give an example.

Answer

A

The people who are permitted access to the asset, by job title for redundancy.

Sales Team, All staff

Question 26

Q

What does the Location of an information asset represent in the IAR?

Give an example.

Answer

A

The physical location of the asset.

Server room, Microsoft cloud, HR office

Question 27

Q

What does the Building/Site of an information asset represent in the IAR?

Give an example.

Answer

A

There the location of the asset can be found, in a broader sense.

Head Office, Building A, EU datacentre

Question 28

Q

What does the Dependencies of an information asset represent in the IAR?

Give an example.

Answer

A

Typically dependencies for support of the asset, such as third party providers and support companies.

Sales Software Ltd., Database supplier support

Question 29

Q

What does the Security Requirements of an information asset represent in the IAR?

Give an example.

Answer

A

The CIA Triad of Confidentiality, Integrity and Availability, typically each ranked by the requirements of the asset.

C 5, I 5, A 3, or C Low, I High, A High

Question 30

Q

What does the Value of an information asset represent in the IAR?

Give an example.

Answer

A

The associated importance of the asset and its value to the company. Does not have to be monetary.

Low, High, £10,000

Question 31

Q

Historically, how were organisations and their assets protected?

Answer

A

By securing the building they were contained in from physical threats like fire and theft.

Question 32

Q

What determines organisational boundaries today?

Answer

A

Who the organisation shares information with and with who they keep it secret.

Question 33

Q

What are Grant’s two key observations about assets?

Answer

A

Assets should be sharable within the organisation.
Assets should be scarce outside the organisation.

Question 34

Q

What is the basis of competitive advantage in for-profit organisations according to Grant?

Answer

A

The combination of shareability and scarcity of assets.

Question 35

Q

How do shareability and scarcity affect not-for-profit organisations?

Answer

A

Shareability supports the mission, scarcity is often required by law or codes.

Question 36

Q

What are the two regions associated with an information asset?

Answer

A

Shareability region - Locations, systems, and people with access to the asset.
Scarcity region - All other locations, systems and people.

Question 37

Q

What are the key conditions within an information asset’s shareability region?

Answer

A

Availability to ensure use and integrity to ensure correct decisions are made using the asset.

Question 38

Q

What must happen to an information asset outside its shareability region?

Answer

A

It must remain confidential to prevent deriving value from it.

Question 39

Q

What are the information security requirements of an asset?

Answer

A

The CIA Triad - Confidentiality, Integrity, and Availability.

Question 40

Q

What happens when an information asset moves across its boundary into the scarcity region?

Answer

A

It’s value must be removed to maintain security.

Question 41

Q

What role does cryptography play in protecting information assets?

Answer

A

It reversibly conceals information value when moving across boundaries.

Question 42

Q

What diagrams are needed to identify an information asset’s shareability boundary?

Answer

A

Organisation chart / organogram diagram (roles or employees)
Location diagram (physical locations)
Systems and network diagram (system interrelations)

Question 43

Q

Why is the boundary between shareability and scarcity regions important?

Answer

A

It determines where the information asset’s value must be protected or restored.

Question 44

Q

What challenge arises with disjoint shareability regions?

Answer

A

Value must be removed when crossing public networks or untrusted spaces.

Question 45

Q

What does an organogram show in relation to an information asset?

Answer

A

The staff structure and relationships within an organisation, indicating who relates to the information asset.

Question 46

Q

How can the boundary of an information asset’s shareability region be identified on an organogram?

Answer

A

By drawing a ring around people inside the region or listing them.

Question 47

Q

What defines a department’s shareability region?

Answer

A

The information it uses in daily business, with areas outside generally considered a scarcity region.

Question 48

Q

Who would typically have access to HR’s sensitive personal data?

Answer

A

Only HR staff.

Question 49

Q

Who would typically have access to sensitive financial information?

Answer

A

Only finance staff.

Question 50

Q

Why should access to information be restricted?

Answer

A

To ensure staff only access information necessary for their duties.

Question 51

Q

How does access differ between senior and junior staff?

Answer

A

Senior staff typically perform more information lifecycle activities and need greater access to assets.

Question 52

Q

What is the purpose of a geographical location diagram?

Answer

A

To assess physical locations within the scope and identify the shareability boundry from a geographical perspective.

Question 53

Q

What locations should be included in a geographical location diagram?

Answer

A

Server rooms and offices, and their containing buildings or sites.
Homes, hotels, etc of remote workers (typically generically rather than specifically!)
Cloud service provider locations (typically generically by provider)

Question 54

Q

What is the purpose of a systems and network diagram?

Answer

A

To illustrate the logical connectivity between information assets, users, and teams. Used to show information flows crossing scarcity and shareability boundaries.

Question 55

Q

What additional aspect should a systems and network diagram reflect?

Answer

A

Network flows between organisation and physical regions of scarcity and shareability.

Question 56

Q

Why is it important to identify where information flows cross network boundaries?

Answer

A

To determine where information assets need protection, especially in less secure locations.

Question 57

Q

What do digital assets hosted in cloud environments require?

Answer

A

Special consideration for security, as they are hosted in a physical scarcity region.

Question 58

Q

What does a systems and network diagram enable?

Answer

A

The identification of risks and protection needs as information assets traverse the network.

Question 59

Q

When is an information asset considered secure?

Answer

A

When its confidentiality, integrity, and availability requirements are met.

Question 60

Q

How are an information asset’s security needs related to its regions?

Answer

A

They are tied to the asset’s shareability and scarcity regions.

Question 61

Q

What is the security requirement for an asset in its scarcity region?

Answer

A

It should be unavailable, or if impossible it should be damaged or disabled to reduce its value.

Question 62

Q

What happens if an asset’s integrity is breached in its shareability region?

Answer

A

The asset may become less useful or entirely worthless. Incorrect data can lead to poor decisions, reducing its value.

Question 63

Q

Why must an information asset be available in its shareability region?

Answer

A

To maximise its utility and value to the organisation.

Question 64

Q

What happens when an asset is not available when needed?

Answer

A

The need goes unfulfilled and the asset’s value is reduced.

Answer 65

A

Unable to access your email or calendar when you need to.
Forgetting a password to a secure file and being unable to access it.
Not remembering your login details to an account and being unable to access a website.

Answer 66

A

It may seriously hinder the organisation’s ability to carry out its mission.

Answer 67

A

Creation/receipt
Storage
Transmission and reception
Access, use, change
Maintenance
Archival
Destruction

Answer 68

A

It is created or received from a third party.

Answer 69

A

It must be stored in a way that ensure the confidentiality, integrity and availability of the assett.

Answer 70

A

The asset is sent and received from where it is stored to where it is needed. It must be available for transmission, kept confidential during transit across private/public networks, and maintain its integrity at the destination.

Answer 71

A

The asset is used to create addtional value through business processes. This may create additional assets, with their own security requirements.

Answer 72

A

The asset is actively managed in order to preserve its value, such as updating the information it contains or declassifying it and reducing its security requirements.

Answer 73

A

The asset is moved into long-term storage, lowering its availability now that it has less value. Its confidentiality and integrity remain important.

Answer 74

A

The asset is destroyed, to ensure it is no longer available. It’s confidentiality must remain high during the destruction process, as its availability and integrity are reduced to zero.

Answer 75

A

To manage how information assets are created, stored, used, and destroyed in line with their security requirements.

Answer 76

A

Labels such as confidential, secret, top secret, restricted, official, unclassified, etc.

Answer 77

A

An asset might intentional have compromised integrity, such as demo version of a video game, or trial of a software package.

Answer 78

A

An asset might intentionally have its availability restricted, such as ‘need to know’ policies.

As an example, a HR employee might have the confidentiality requirements to access HR documents, but the availability shouldn’t allow them to access files when they have no legitimate need to do so.

Answer 79

A

To manage confidentiality, integrity, and availability levels appropriately based on the asset’s purpose and audience.

Answer 80

A

Assessing its value to the organisation and beginning the process of protecting it.

Answer 81

A

Those whose loss would cause immediate disruption, reputational damage, or political embarrassment.

Financial records during an audit or a database containing customer details, passwords, and credit card information.

Answer 82

A

Those whose loss would cause disruption to business operations, but not cause reputational or political damage.

Warehouse inventory, booking system for IT equipment

Answer 83

A

Will it cost money to reacquire if lost?
Would legal, reputational, or financial repercussions occur if unavailable?
Would it affect operational efficiency?
Can work be done without it?
Would competitive advantage be lost?

Answer 84

A

Would there be consequences if the information was incorrect?

Answer 85

A

Would there be consequences if revealed to a third party?
Would competitors gain an advantage?
Would regulations be broken?

Answer 86

A

Their loss or compromise would disrupt business operations or cause reputational, legal, or financial damage.

Answer 87

A

The collection of humans, systems (including media), and locations on which the asset depends during its lifecycle.

Answer 88

A

Physical vulnerabilities
Environmental vulnerabilities
Human vulnerabilities

Answer 89

A

Humans
Systems (including medium)
Physical locations

Answer 90

A

It allows the asset to both exist, and to be presented.

Paper, hard drive, SSD.

Answer 91

A

Physical and remote hacking.

Answer 92

A

By interacting with it to create value.

Answer 93

A

Natural disasters (floods, fires)
Environmental failures (air con failure, power supply isssues)
Human error (coffee spills, accidental disconnection)

Answer 94

A

Which dependencies are creates when the asset is:
- Created, stored, archived or destroyed?
- Used, copied, changed, or transformed?
- Transmitted and received?

These answers should consider human, system and location dependencies.

Answer 95

A

The sum of all people, systems, and locations the asset touches during its lifecycle.

Answer 96

A

By the vulnerabilities of the people, systems, and locations within its scope.

Answer 97

A

The asset itself will be protected.

Answer 98

A

Risk analysis to identify risks.
Risk control to mitigate or manage those risks.

Answer 99

A

They can share protections if they reside on the same systems, are accessed by the same people, or share the same locations.

Answer 100

A

Multiple assets share the same scope and require combined protections.

Brainscape's Knowledge GenomeTM

Asset Identification Flashcards

Brainscape's Knowledge Genome^TM