[Original] What is information security asset management?
1. What is an asset? Anything that has value for the Organization;
2. What is information assets? It is a valuable information or resource that can exist in multiple forms and is invisible and tangible. In ISO17799, the definition of information is more accurate and specific: "information is an asset. Like other important business assets, it is valuable to the organization and therefore needs to be properly protected ".
3. Information security asset management process: (1) What is information assets first (2) asset identification (3) asset evaluation (4) asset risk assessment (5) asset management;
4. Assets identification:
(1) Information Assets: databases and data files, contracts and agreements, system files, research information, user manuals, training materials, operations or supportProgram, Business continuity plan, backup operation arrangement, audit records, archived information;
(2) software assets: application software, system software, development tools and utilities;
(3) physical assets: computer equipment, communication equipment, removable media and other equipment;
(4) services: computing and communication services, general utilities, such as heating, lighting, energy, and air conditioners;
(5) personnel and their qualifications, skills and experience;
Intangible assets, such as the reputation and image of an organization. In short, there are tangible and intangible assets.
All assets are useful to the Organization. Of course, "asset evaluation" should be carried out. Generally, asset evaluation is based on the confidentiality (Security), integrity, availability and other requirements of information.
5. 10 major asset evaluation factors:
(1) costs required to acquire or develop the asset;
(2) costs required to maintain and protect the asset;
(3) the value of the asset to the owner and users;
(4) the value of the asset to competitors;
(5) value of intellectual property rights;
(6) The price paid by others for the purchase of the asset;
(7) replacing the qualifications paid by the asset in case of losses;
(8) Loss of operation and work ability when the asset is unavailable;
(9) debt issues when the asset is depreciated;
(10) use of the asset. The commonly used method of asset assignment is to establish the relative value of assets in a qualitative and hierarchical manner, the relative price is used as the basis for determining important assets and the basis for how much resources are invested in the protection of such assets.
6. asset risk assessment: implement control measures to avoid, transfer and reduce risks to an acceptable level.
(1) threat identification (threats are possible factors or events that may cause potential damage to the Organization and its assets). Threats are affected by four factors:
1) attractiveness of assets;
2) Ease of converting assets into compensation;
3) technical strength of threats;
4) The difficulty of exploits.
2) vulnerability identification (vulnerability identification can be completed through vulnerability assessment. vulnerabilities exist in the asset itself and can be exploited by threat to cause damage to assets or business goals ).
The methods used for vulnerability identification are questionnaire survey, personnel inquiry, tool scanning, manual inspection, document review, and penetration testing.
(3) After the risk assessment completes the frequency of occurrence of threats, the probability of occurrence, and the vulnerability value, the following formula can be used to calculate the risk of assets: r = f (a, V, T) = f (IA, L (va, t) r indicates risk;
A Indicates the asset; V indicates the vulnerability; t indicates the threat; IA indicates the impact on the business of the Organization after the asset security event (also known as the importance of the asset );
Va indicates the vulnerability of an asset, and l indicates the possibility of security incidents caused by threat of asset vulnerabilities.
(4) selection and implementation of security control measures
(1) the degree of protection required by the assets;
(2) cost;
(3) ease of implementation;
(4) requirements of laws and regulations;
(5) Customer and other contractual requirements.
(5) Risk Acceptance classifies residual risks, which can be "acceptable" or "unacceptable ".
7. During the establishment, implementation and operation of the information security management system, assets are managed through the following control methods:
(1) asset list
(1.1) Procurement and acquisition of new assets;
(1.2) Level Change of Original information assets;
(1.3) Timeliness of assets;
(1.4) changes as required by laws and regulations and contractors.
(2) asset owner
(3) Acceptable Use of assets
(4) Classification Guide
(5) Marking and processing of information
(6) Clear Use Management
6.1) Confidential information storage
6.2) access permissions for confidential information
6.3) use of confidential information
6.4) Sending of confidential information
finally, we use one sentence to describe information assets as the target of the information security management system. Information asset management plays an important role in the establishment, implementation, and operation of the entire information security management system.